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report  distribution.  The  audit  team  members  are  listed  inside  the  back  cover. 
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Information  Assurance  for  the  Defense  Civilian  Personnel 
Data  System  •  Washington  Headquarters  Services 


Executive  Summary 


Introduction.  This  report  is  the  last  of  four  reports  in  our  ongoing  review  of  the 
Defense  Civilian  Personnel  Data  System.  The  previous  reports  discuss^  acquisition 
management  controls  for  the  Defense  Civilian  Personnel  Data  System,  information 
assurance  controls  for  the  overall  system,  and  information  assurance  controls  for  the 
Defense  Civilian  Personnel  Data  System  as  it  related  to  Navy.  The  Defense  Civilian 
Personnel  Data  System  currently  in  operation  is  a  legacy  automated  informatioii  system 
that  processes  sensitive-but-unclassified  information  for  at  least  750,000  DoD  civUian 
personnel  records.  The  DoD  is  modernizing  the  Defense  Civilian  Personnel  Data 
System  as  it  regionalizes  the  delivery  of  civilian  personnel  service  into  22  regional 
s^ice  centers  and  approximately  300  customer  support  units.  The  modem  Defense 
Civilian  P^onnel  Data  System  is  scheduled  to  replace  the  legacy  system  when 
regionalization  is  complete.  The  Washington  Headquarters  ^rvices.  Human 
Resource  Services  Center,  will  serve  as  one  of  the  three  Defense  agency  regions  and 
serves  seven  customer  support  units,  processing  approximately  10, (XK)  personnel 
records. 

Audit  Objectives.  The  overall  audit  objective  was  to  evaluate  die  adequacy  of 
information  assurance  for  the  Defense  Civilian  Personnel  Data  System  at  Washington 
Headquarters  Services.  Specifically,  we  evaluated  security  planning,  risk  analysis,  and 
security  management.  We  did  not  evaluate  the  security  of  network  and 
ctMnmunications  infrastructure  because  DoD  resources  were  not  available  to  conduct 
vulnerabili^  assessments.  We  also  reviewed  the  management  control  program  as  it 
applied  to  tte  audit  objectives. 

Audit  Results.  Washington  Headquarters  Services  has  a  security  policy,  security  plan, 
contingency  plan,  and  system  access  and  physical  security  controls  in  place;  however, 
it  needs  to  improve  information  assurance  for  the  Defense  Civilian  Personnel  Data 
System.  Without  adequate  information  assurance  controls,  Washington  Headquarters 
Services  cannot  ensure  the  confidendali^,  integrity,  and  availability  of  more 
than  10,000  personnel  records.  See  Part  I  for  the  complete  discussion  and  Appendix  A 
for  details  of  the  review  of  the  management  control  program. 

Corrective  Actions  Taken  or  banned.  Washington  Headquarters  Services  initiated 
the  purchase  of  security  software  that  will  work  with  its  recently  purchased  firewall. 
Washington  Headquarters  Services  plans  to  use  the  security  software  to  manage  and 


audit  all  servers  on  the  network  and  to  perform  a  systems  security  risk-and- 
vulnerability  assessment.  Also,  Washington  Headquarters  Services  is  incorporating  an 
aimual  mandatory  computer  security  awareness  training  course  in  accordance  with  the 
Computer  Security  Act  of  1987. 

Summary  of  Recommendations.  We  recommend  that  the  Director  for  Personnel  and 
Security,  Washington  Headquarters  Services,  improve  the  information  assurance 
program  by  directing  the  appropriate  security  personnel  to  conduct  a  risk  analysis  to 
identify  and  define  overall  system  threats  and  vulnerabilities;  conduct  a  systems  test  and 
evaluation;  and  establish  a  memorandum  of  agreement  with  customer  support  units  to 
complete  a  security  plan,  contingeocy  plan,  system  accreditation  and  to  conduct  a 
risk  analysis,  as  well  as  systems  test  ai^  evaluation.  We  also  recommend  that  the 
Technical  Director,  Directorate  of  Personnel  Data  Systems,  Air  Force  Personnel 
Center,  coordinate  with  Washington  Headquarters  Services  training  requirements  for 
designated  securify  personnel  for  the  Defense  Civilian  Personnel  Data  System 
information  assurance  program. 

Management  Comments.  The  Director,  Washington  Headquarters  Services, 
concurred  with  all  but  one  recommendation,  stating  that  no  command  and  control 
relationship  exists  between  the  Washington  Headquarters  Services  Regional  Service 
Center  and  the  customer  support  units.  He  noted  that  each  customer  support  unit  is 
responsible  for  con^leting  its  own  securify  plan,  securify  policy,  contingency  plan, 
system  accreditation,  risk  analysis,  and  systems  test  and  evaluation.  The  D^artment  of 
the  Air  Force  concurred  with  &e  recommendation  and  initiated  needed  actions.  See 
Part  I  for  a  discussion  of  management  comments  aiKl  Part  m  for  the  complete  text  of 
the  management  comments.  Also,  see  Appendix  E  for  a  discussion  of  management 
comments  on  the  fiivling. 

Audit  Response.  The  Washington  Headquarters  Services  conunents  were  partially 
responsive.  Despite  the  lack  of  a  command  and  control  relationship  between  the 
Washington  Headquarters  Services  Regional  Service  Center  and  the  customer  support 
units,  risks  exist  in  relation  to  the  confidentiality,  integrity,  and  availability  of 
personnel  data  processed  using  the  Defense  Civilian  Personnel  Data  System.  Although 
each  customer  siq)port  unit  is  responsible  for  completing  its  own  securify  requirements, 
^  customer  support  units  can  access  the  Washington  Headquarters  Services  Regional 
Service  Center  regional  database.  The  Washington  Headquarters  Services  Regional 
Service  Center  Aerefore  should  seek  assurance  that  the  customer  support  units  have 
adequately  inqilemenhKi  securify  within  their  information  technology  environments 
before  allowing  access  to  its  regional  database.  A  command  and  control  relationship 
should  not  be  necessary.  We  request  that  the  Washington  Headquarters  Services 
reconsider  its  position  on  the  revised  recommendation  to  establish  a  memorandum  of 
agreement  with  its  customer  support  \mits  and  provide  further  comments  by 
August  3,  1998. 
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Audit  Background 


Defense  CiTilian  Personnel  Data  System.  The  Assistant  Secretaiy  of  Defense 
(Command,  Control,  Communications,  and  Intelligence)  designated  the  Defense 
Civilian  Personnel  Data  System  (DCPDS)  as  an  interim  standard  system  in  an 
April  22,  1991,  memorandum.  The  memorandum  designated  the  ^retaiy  of 
die  Air  Force  as  the  executive  agent  for  the  DCPDS.  At  that  time,  DCPDS 
consisted  of  a  core  system,  the  Air-Force-developed  Personnel  Data  System- 
Civilian,  plus  distinct  Army  and  Navy  versions  of  Personnel  Data  System- 
Civilian.  Since  1991,  DoD  has  transitioned  the  Military  Departments  and  most 
Defense  agencies  to  a  standard  DCPDS.  The  modem  DCPDS  program  will 
provide  a  seamless  automated  information  system  that  will  provide  support  for 
personnel  policy  actions  and  personnel  decisions  during  peacetime, 
contingencies,  and  wartime.  The  modem  DCPDS  will  support  all  DoD 
Components  worldwide  and  will  be  used  by  personnel  officials,  employees, 
managers,  and  senior  leadership  at  all  levels  of  DoD  operations  throughout  the 
world.  TTie  modem  DCPDS  is  envisioned  to  enable  one  personnel  specialist  to 
provide  personnel  services  to  about  100  civilian  personnel.  The  modem 
DCPDS  is  also  envisioned  to  eliminate  duplicative  DoD  Component  and 
Defense  agency  personnel  system  costs  and  to  reduce  maintenance  costs  for 
mainframe  computers.  The  current  operational  DCPDS  supports  the  Military 
Departments  and  Defense  agencies  and  consists  of  DCPDS  software  applications 
called  personnel  process  improvements.  The  personnel  process  improvements 
are  an  important  element  in  migrating  to  the  modem  system.  The  personnel 
process  improvements  application  prograim  provide  electronic  means  to 
generate,  route,  and  process  j^rsonnel  actions;  create  and  classify  positions; 
initiate,  route,  and  track  training  requests;  and  access  current  personnel  database 
and  associated  data  from  other  functional  areas.  The  functionality  of  the 
personnel  process  improvement  software  applications  will  be  included  in  the 
modem  DCPDS.  The  DCPDS  interim  system  is  designed  to  improve  and 
enhance  personnel  staffs  during  the  DoD  transition  to  a  downsu^  workforce. 

Washington  Headquarters  Services.  In  November  1993,  the  Secretary  of 
Defense,  by  Program  Decision  Memorandum,  directed  the  Defense  agencies  to 
consolidate  their  civilian  personnel  operations  into  three  regional  service  centers 
(RSCs)  from  FY  1995  through  FY  1998.  The  RSCs  will  be  the  repository  for 
regional  DCPDS  databases  ^  for  official  personnel  files.  In  establishing  the 
RSCs,  economies  of  scale  will  be  gained  by  concentrating  personnel  support 
functions  at  one  location.  Approximately  60  percent  of  &e  current  personnel 
operations  workload  will  migrate  from  agency  personnel  offices  to  Ae  RSC. 

Tlie  remaining  workload  will  be  complete  in  &e  customer  service  centers  that 
are  managed  by  the  agencies.  The  key  element  to  achieving  the  eiqiected  cost 
benefits  and  other  efficiencies  is  the  electronic  connections  among  agency 
managers  and  supervisors,  the  customer  support  units  (CSUs),  and  fbe  ^C, 
which  collectively  will  service  approximately  10,000  employees.  In  May  1994, 
the  Defense  Agencies  Planning  Team  developed  a  regionalization  concept  plan 
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that  would  create  a  National  Capital  Region  in  the  Washington,  D.C., 
Metropolitan  Area  in  FY  1996,  with  two  additional  regions  to  be  established  in 
FYs  1997  and  1998,  respectively.  Washington  Headquarters  Services  (WHS) 
would  manage  the  RSC  and  would  consolidate  portions  of  the  WHS  civilian 
personnel  offices,  the  Uniformed  Services  University  of  the  Health  Sciences, 
die  Defense  Information  Systems  Agency,  the  Defense  Investigative  Service,  the 
On-Site  Inspection  Agency,  the  Defense  Nuclear  Agency,  and  the  Joint  Staff. 


Audit  Objectives 

The  overall  audit  objective  was  to  evaluate  the  adequacy  of  information 
assurance  for  the  DCPDS  at  WHS.  Specifically,  we  evaluated  the  security 
planning,  risk  analysis,  and  security  management.  We  did  not  evaluate  the 
security  of  network  and  communications  i^astructure  because  DoD  resources 
were  not  available  to  conduct  vulnerability  assessments.  We  also  reviewed  the 
management  control  program  as  it  applied  to  die  audit  objectives.  See 
Appendix  A  for  a  discussion  of  the  audit  scope  and  meAodology  and  the  review 
of  the  management  control  program.  Appendix  B  provides  a  summary  of  prior 
coverage  related  to  the  audit  objectives. 
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Information  Assurance  Program 

WHS  possesses  a  security  policy,  security  plan,  and  contingency  plan, 
and  has  system  access  and  physical  security  controls  in  place.  However, 
WHS  needs  to  improve  information  assurance  for  DCPDS  because  it  did 
not  have  the  requited  information  assurance  controls  in  place  to  do  the 
following: 

•  conduct  a  risk  analysis  for  its  organization  to  identify  and 
define  overall  system  threats  and  vulnerabilities  as  required  by  DoD 
Directive  5200.28,  "Security  Requirements  for  Automated  Information 
Systems  (AISs),”  March  21,  1988  (The  Directive); 

•  complete  a  systems  security  test  and  evaluation;  or 

•  obtain  assmance  that  its  CSUs  completed  a  security  plan, 
contingency  plan,  and  system  accreditation  and  conduct  a  risk  analysis 
and  systems  test  and  evaluation. 

Addidonaily,  the  DCPDS  functional  and  ac^isition  program  managers 
did  not  coordinate  with  WHS  to  provide  training  requirements  for 
designated  security  personnel  for  the  DCPDS  iiS'ormation  assurance 
program. 

As  a  result,  without  those  controls,  WHS  cannot  ensure  the 
confidentiality,  integrity,  and  availability  of  more  than  10,000  personnel 
records. 


Requirements  for  Information  Assurance  Controls 

The  DoD  Directive  5200.28,  *^Security  Requirements  for  Automated 
Information  Systems  (AISs),”  March  21, 1988.  The  Directive  states  that  at  a 
Tninimum,  a  risk  management  program  should  be  in  place  to  determine  how 
much  protection  is  required,  how  much  exists,  and  ^  most  economical  way  of 
providing  the  needed  protection.  According  to  the  Directive,  risk  management 
is  the  to^  process  of  identifying,  measuring,  and  minimizing  uncertain  events 
affecting  automated  information  system  resources.  It  includes  conducting  a  risk 
analysis,  cost  benefit  analysis,  safeguard  selection  and  inoplementation,  security 
test  and  evaluation,  and  systems  review.  A  risk  analysis  examines  system  assets 
and  vulnerabilities  to  establish  an  expected  loss  from  certain  events  based  on 
estimated  probabilities  of  occurrence. 

The  Directive  also  requires  a  training  and  awareness  program  to  provide  the 
seciuity  needs  of  all  persons  accessing  the  automated  information  systems.  The 
security  training  and  awareness  program  must  ensure  that  all  persons  responsible 
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for  the  automated  information  ^stem  or  information  in  the  system  and  all 
persons  who  access  the  automated  information  system  are  aware  of  operational 
and  securi^-related  procedures  and  risk. 

The  Computer  Security  Act  of  1987.  The  Con^niter  Security  Act  of  1987 
requires  computer  securiQ^  plans  to  be  developed  for  all  Federal  computer 
systems  that  contain  sensitive  information  to  ensure  data  integrity,  availability, 
and  confidentiality.  The  Act  de^es  sensitive  information  as: 

,  .  .  any  infonnation,  the  loss,  misuse,  or  authorized  access  to,  or 
modilfication  of  whidi  could  adversely  affect  the  national  interest  or 
the  conduct  of  Federal  programs,  or  the  privacy  of  which  individuals 
are  entitled .... 

The  Privacy  Act  of  1974.  DoD  civilian  personnel  data  are  subject  to 
provisions  of  the  IMvacy  Act  of  1974.  The  Privacy  Act  generally  requires 
Federal  agencies  to  safeguard  personal  information  from  disclosure  to  any  other 
organization  or  individual  without  the  consent  of  the  individual  to  whom  the 
information  pertains.  The  Rivacy  Act  also  requires  each  agency  to  account  for 
disclosures  of  information  to  other  organizations  and  individuals. 


Responsibilities  for  DCPDS  Information  Assurance 

The  DCPDS  functional  and  acquisition  managers,  and  WHS  and  its  CSUs,  all 
have  shared  roles  and  responsibilities  in  safeguarding  Ae  DCPDS  peponnel 
data.  The  organizations  must  fulHU  their  responsibilities  to  achieve  information 
assurance  for  DCPDS. 

Directorate  of  Personnel  Data  Systems  Responsibilities.  According  to  the 
Air  Force  Personnel  Center  Pamphlet  38-1,  “Organizations  and  Fxmetions,” 
April  14,  1997,  the  Directorate  of  Personnel  Data  Systems  is  responsible  for 
establishing,  directing,  and  managing  communications-computer  systems 
security  policy  and  procedures  covering  DCPDS  as  it  extend  to  all 
organizational  levels  of  Federal  and  DoD  organizations  and  civil  agencies. 

RSC  Responsibilities.  The  WHS  RSC  maintains  its  own  domain  and  is 
responsible  for  instituting  its  own  security  protection  mechanisms  and 
pnxteduies  as  well  as  for  implementing  tte  minimum  security  requirements 
needed  for  systems  to  be  secure  in  accordance  with  DoD  regulations.  To  meet 
minimum  security  requirements,  WHS  must  accredit  its  automated  information 
system.  An  accr^tation  is  the  approval  to  operate  in  a  particular  security 
mode  tising  prescribed  safeguards.  Part  of  the  accieditarion  process  is 
performing  a  ri^  analysis  of  system  assets  and  vulnerabilities  to  establish  an 
expected  loss  from  certain  events  based  on  estimated  probabilities  of 
occurrence. 
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CSU  Responsibilities.  The  CSU  systems  architecture  consists  primarily  of  a 
desktop  personal  computer  that  processes  sensitive-but-uncl^smed  data.  To 
achieve  appropriate  measures  against  threat  and  vulnerabilities,  each  CSU  is 
responsible  for  conducting  a  risk  analysis  to  identify  most  risks  and  threats 
associated  with  each  wor&tation  that  processes  personnel  data. 


Existing  Controls 

Systems  Access  Controls.  DoD  Standard  S200.28-STD,  "Dq)artment  of 
Defense  Trusted  Con^uter  Securi^  Evaluation  Criteria,”  December  1985, 
requires  that  access  to  the  system  is  not  given  to  individuals  lacking  proper 
authority.  Systems  access  controls  were  in  place  at  WHS  and  its  CSUs.  The 
RSC  generates  and  controls  passwords  for  access  to  DCPDS  and  die  personnel 
process  improvements  suites.  All  new  users  must  attend  training  for  the 
personnel  process  inq)rovements  suites  before  obtaining  access  to  die  DCPDS 
and  the  personnel  process  improvements  suites.  The  system  administrator 
determines  the  level  of  access  granted  to  new  users  ba^  on  a  matrix  received 
from  the  CSU.  The  CSU  determines  whether  requested  access  is  appropriate, 
based  on  the  responsibilities  and  duties  of  die  user.  Password  eiqiiration  is  not 
automatically  required  by  the  system;  however,  users  are  encouraged  to  change 
their  passwords  periodically . 

niysical  Security.  The  Directive  states  that,  as  a  minimum  security 
requirement,  automated  information  systems  hardware,  software, 
documentation,  and  all  classified  and  sensitive-but-unclassitied  data  handled  by 
the  automated  information  system  must  be  protected  to  prevent  unauthorized 
disclosure,  destruction,  or  modification.  ITie  Directive  also  states  that  software 
development  and  related  activities  must  be  physically  conimlled  and  protected 
when  die  software  is  used  for  handling  classified  or  sensitive-but-unclassified 
information.  Physical  security  controls  were  in  place  at  WHS  and  its  CSUs. 
Specifically,  at  T^S,  visitors  are  required  to  obtain  temporary  visitor  badges 
upon  entry  into  die  \^^S  RSC  building;  servers  and  network  components  are 
located  in  a  locked  room  that  is  not  accessible  to  unauthorized  pmonnel;  and 
visitors  are  escorted  while  in  the  computer  room  facilities.  Physical  security 
controls  at  the  On-Site  Inaction  Agency  consist  of  24-hour  security  guards  at 
die  building’s  main  entrance,  card  readers  at  each  entrance,  and  escorting 
visitors  without  a  securiQr  clearance;  a  badge  requirement  for  authoriz^ 
persoimel  for  entry  after  normal  work  hours;  and  camera  vlx.  Authorized 
persormel  are  required  to  enter  their  pin  numbers  into  keypads  to  gain  access  to 
the  computer  room.  Physical  security  controls  at  the  Joint  Staff  consist  of 
access  being  limited  to  those  who  have  the  required  clearances  and  access 
authorization.  The  barriers  include  guards,  locks,  vaults,  security  containers, 
closed  circuit  television  cameras,  and  intrusion  detection  alarm  systems. 
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Adequacy  of  the  Information  Assurance  Program  for  the 
Defense  Civilian  Personnel  Data  System 


WHS  did  not  have  an  adequate  infonnation  assurance  program  for  DCPDS. 
Specifically,  WHS  did  not  perform  a  risk  analysis  and  a  systems  security  test 
and  evaluation.  It  also  did  not  establish  an  annual  mandatory  securiQr  training 
and  awareness  program.  The  DCPDS  intercoimectivity,  with  numerous 
information  systems  and  use  of  the  Internet  to  transfer  sensitive  per^i^I  data, 
demands  an  i^oimation  assurance  program  to  protect  the  confidentiality, 
integrity,  and  availability  of  data  process^.  The  underlying  requirement  of  an 
infonnation  assurance  program  for  WHS  is  to  provide  reasonable  assurance  that 
persoimel  information  fliat  DCPDS  processes  is  reliable  and  properly 
safeguarded. 

An  information  assurance  program  should  address  key  issues  such  as  planning, 
risk  management,  and  accreditation.  The  progr^  would  provide  for  collecting 
Motmation  on  the  organization’s  security  position;  plann^  for  program 
implementation;  2(^yzing,  (piantifying,  and  countering  risto;  planning  for 
disaster  recovery;  implementing  tests;  con^iling  accr^itation  documentation; 
and  accrediting  the  system,  network,  or  both.  Key  documents  to  be  developed 
as  a  result  of  performing  t^  tasks  should  include  the  security  policy  and  plan, 
risk  assessment,  contingency  plan,  systems  test  and  evaluation,  and  a  signed 
statement  of  accreditation  by  the  designated  approving  authority.  The  ad^uacy 
of  die  information  assurance  program  is  determined  based  on  the  completion 
and  implementation  of  the  documents  as  well  as  implementation  of  system 
access  controls,  physical  security  controls,  and  an  adequate  security  training  and 
awareness  program. 


Information  Assurance  Control  Documentation 


DoD  guidance  requires  that  organizations  processing  sensitive-but-unclassified 
data  establish  and  implement  an  information  assurance  program.  An 
information  assurance  program  consists  of  developing  and  implementing 
documentation  such  as  a  security  policy,  security  plan,  contingency  plan,  and 
systems  security  test  and  evaluation,  and  having  a  signed  stat^ent  of 
accreditation  by  die  designated  approving  authority.  In  addition,  WHS  and  its 
CSUs  must  have  syston  access  controls,  physical  security  controls,  and  an 
adequate  security  training  and  awarer^ss  program  in  place. 

Security  Polirty.  DoD  Standard  52(X).28-STD,  “Department  of  Defense 
Trusted  Computer  Security  Evaluation  Criteria,”  December  1985,  states  that  an 
explicit  and  well-defined  security  policy  must  be  enforced  so  that  no  ow  can 
access  die  system  without  die  proper  authority.  It  requires  security  policy  to 
reflect  the  laws,  regulations,  and  general  policies  froin  which  it  is  derived. 
WHS  and  its  CSUs  developed  and  implemented  security  policies  for  its 
organizations. 
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Security  Flan.  The  Computer  Security  Act  of  1987  requires  conq>uter  security 
plans  to  be  developed  for  all  Federal  con^uter  systems  that  contain  sensitive 
i^ormation  to  ensure  &eir  integrity,  availability,  and  confidoitiality.  The 
securip'  plan  describes  the  strategy  for  implementing  information  assurance  and 
establishes  a  methodology  for  vadidating  the  security  requirements  identified  in 
the  security  policy.  Both  WHS  and  the  Joint  Staff  developed  a  security  plan 
that  establistes  a  formal  securiQr  policy  and  defines  the  organizational 
mechanisms  necessary  for  in:q>lementation  and  enforcement.  Although  the  On- 
Site  Inspection  Agency’s  security  policy  stated  that  a  system  security  plan  will 
be  prepared  and  maintained  for  dl  automated  information  systems,  including 
networks  processing  classified  or  sensitive-but-unclassified  information,  it  did 
not  provide  a  completed  securi^  plan.  Without  an  established  security  plan,  the 
On-Site  Inq>ection  Agency  has  no  assurance  diat  it  has  developed  a  strategy  for 
implementing  information  assurance  controls  and  a  methodology  for  validating 
securi^  requirements. 

ContingenQ^  Plan.  The  Directive  requires  that  contingency  plans  be  developed 
and  tes^  to  ensure  that  automated  information  system  securiQr  controls 
function  reliably  and,  if  they  do  not,  that  adequate  backup  functions  are  in  place 
to  ensure  ti^t  securi^  functions  are  maintained  continuously  during  interrupted 
service.  The  Directive  also  states  that  if  data  are  modified  or  destroyed, 
recovery  procedures  must  be  in  place.  WHS  developed  a  Disaster  Recovery 
Plan,  which  is  a  contingency  plan  outlining  the  procedures  for  recovering  the 
primary  RSC  functions  from  disruption  of  services.  The  primary  RSC  fiinctions 
include  providing  regional  database  access  to  the  CSUs  and  the  personnel 
specialists,  providing  capability  for  updating  die  regional  database  from  the 
DCPDS  located  at  l^mdolph  Air  Force  Base,  and  providing  RSC  employees 
access  to  die  RSC  Administration  Servers.  The  purpose  of  the  Disaster 
Recovery  Plan  is  to  minimize  the  number  of  decisions  that  must  be  made 
following  a  disruption  of  service.  The  plan  is  divided  into  two  sections:  the 
Continuity  of  Operations  Plan  and  the  l^ergency  Procedures  Plan.  The 
Continui^  of  C^rations  Plan  addresses  procedures  diat  must  be  followed  when 
extended  systems  outages  occur.  It  also  outlines  a  plan  of  action  to  recover 
from  the  loss  of  communications  c^abilities  to  network  and  power  outages  and 
hardware  failures  of  tibe  RSC  equipment.  The  Emergency  Procedures  Plan 
provides  guidance  to  die  RSC  System  Administrators  on  the  procedures 
necessary  for  the  system  to  be  shut  down  and  brought  back  on  line  safely. 

The  Joint  Staff  and  the  On-Site  Inspection  Agency  did  not  provide  contingency 
plans.  According  to  the  Joint  Staff,  die  development  of  a  contingency  plan  is 
based  on  each  organization’s  determination  of  whether  the  applications  on  its 
network  are  criti^.  According  to  the  Joint  Staff,  Chief  of  Security  Division, 
DCPDS  is  considered  critical,  and  the  Joint  Staff  should  have  addressed 
procedures  for  recovery  from  disruption  of  services.  According  to  the  On-Site 


8 


Liformatioii  Assurance  Program 


Inspection  Agency,  a  formal  contingency  plan  is  not  required  for  its  automated 
information  systems.  As  a  result,  the  two  CSUs  have  no  assurance  that  they 
can  recover  from  a  disaster  or  an  interruption  of  services. 


Risk  Analysis 


Requirement  for  Risk  Analysis.  The  Directive  requires  ttut  sensitive-but- 
unclasstfied  information  be  s^eguarded  to  ensure  confidentiality,  integrity,  and 
ava^bility.  It  also  requires  systems,  network,  or  both  to  be  accredit^.  An 
accreditation  is  an  ^proval  to  operate  in  a  particular  securi^  mode  usmg 
prescribed  safeguards.  Performing  a  risk  analysis  is  part  of  the  ^r^itation 
process  in  which  an  examination  of  system  assets  and  vulnerabilities  is 
conducted  to  establish  an  expected  loss  from  certain  events  bas^  on  estimate 
probabilities  of  occurrence.  In  addition  to  developing  DoD  guidance  requirmg  a 
risk  analysis,  &e  DCPDS  Acquisition  Program  Manager  developed  guidance  for 
the  RSCs  on  the  need  to  conduct  an  operational  certification.  At^rding  to  the 
DCPDS  Acquisition  Program  Manager,  the  operational  certification  and  risk 
analysis  checklists  and  guidelines  were  prepared  and  distributed  to  all 
components.  They  were  also  included  as  attachments  to  a  memorandum  issued 
by  the  DCPDS  Acquisition  Program  Manager.  In  the  Memorwdum  for 
Component  Project  Managers,  “Operation^  Certification-Regional  Service 
Centers/Riric  Analysis  Status,”  January  13,  1997,  the  DCPDS  Acquisition 
Program  Nfrmager  emphasized  that  the  certification  step  is  an  integnd  part  of  the 
process  to  ensure  system  integrity  and  risk  analysis  continuity.  It  fiuther  states 
that  one  of  the  phases  to  the  DCPDS  program  security  process  requires  an  initial 
risk  analysis  or  an  update  of  the  current  analysis. 

Performance  of  Risk  Analysis.  Despite  the  DoD  Direc^ye  requiring  a  risk 
analysis  and  the  guidance  provided  by  the  DCPDS  Acquisition  Program 
Manager,  neither  the  RSC  nor  its  CSUs  —  WHS,  the  Joint  Staff,  and  the  On- 
Site  Inspection  Agency  --  conducted  a  risk  analysis  to  identify  security  risks,  to 
determine  their  magnitude,  and  to  identify  areas  needing  safeguards.  In 
addition,  they  did  not  conduct  accreditations  on  their  workstations  to  support 
DCPDS  certification  and  accreditation.  According  to  the  WHS  Information 
Technology  Manager,  the  RSC  did  not  conduct  a  risk  analyse  because  it  did  not 
have  the  necessary  tools  to  allow  it  to  thoroughly  assess  arid  identify  all  of  the 
risks  and  vulnerabilities.  He  further  stated  t^t  the  RSC  was  currently 
procuring  security  software  to  assist  it  in  conducting  a  risk  anriysis.  The 
Information  Technology  Manager  stated  that  WHS  would  be  in  a  better  position 
to  assess  and  identify  all  of  its  risks  and  vulnerabilities  upon  receipt  of  the 
securify  software,  which  was  received  in  September  1997.  stat^  that 
failure  to  obtain  &e  security  software  products  would  result  in  its  inability  to 
conq>lete  borough  and  comprehensive  systems  security  risk-and-yulnerabilify 
assessments,  as  well  as  to  measure  and  monitor  conq>liance  with  its  information 
systems  securify  policies.  While  major  reliance  is  be^  placed  on  the 
acquisition  of  securify  software  needed  to  conduct  a  risk  analysis,  it  does  not 
release  WHS  from  its  responsibility  to  complete  a  risk  analysis.  WHS  can  use 
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other  alternatives  to  assess  its  systems  security  risks  and  vulnerabilities. 

Because  WHS  has  not  performed  a  risk  analysis,  it  does  not  know  what  its  risks 
and  vulnerabilities  are,  and  it  does  not  have  assurance  that  its  system  is  secure 
in  accordance  with  DoD  regulations.  As  a  result,  WHS  can  not  ensure  tibe 
confidentiality,  integrity,  and  availability  of  more  than  10,000  personnel 
records. 

Followup  With  WHS  by  the  Directorate  of  Personnel  Data  Systems. 

Despite  the  DCPDS  Acquisition  Program  Manager’s  emphasis  on  the  high 
priori^  that  effective  risk  management  and  security  safeguards  have  with 
program  management,  and  the  need  for  components’  continued  support  to 
achieve  appropriate  measures  against  threats  and  vulnerabilities,  he  did  not 
assess  whether  &e  regions  performed  the  operational  certifications  or  risk 
analyses.  The  Acquisition  Ihrogram  Manager  also  did  not  followup  with  WHS 
to  detennine  the  status  of  completion  or  target  completion  dates.  Specifically, 
the  Central  Design  Activity  Security  Coordinator  could  not  provide  evidence  of 
a  completed  operational  certification  and  risk  analysis  for  WHS,  or  a  target  date 
for  completion. 


Other  Information  Assurance  Controls 

Systems  Security  Test  and  Evaluation.  WHS' and  its  CSUs  provided  no 
evidence  dtat  they  conducted  a  test  and  evaluation  of  the  security  of  the  tystem. 
The  objective  of  the  systems  security  test  and  evaluation  is  to  assess  the 
technical  and  nontechmcal  implementation  of  the  security  desi^  and  to 
ascertain  that  security  features  affecting  confidentiality,  integrity,  and 
availability  have  been  in^lemented.  Systems  should  be  subject  to  a  systems 
security  test  and  evaluation  to  ensure  Mt  they  meet  the  environmental  and 
(^rational  security  requirements. 

Accreditation.  The  Directive  requires  that  each  automated  information  system 
be  accredited  to  operate  in  accordance  with  a  designated  approving  authority- 
approved  set  of  security  safeguards.  As  of  late  August,  neither  T^S  nor  the 
On-Site  Impection  Agency  an  interim  accreditation;  however,  in  October 
1997,  WHS  requested  and  received  an  extended  interim  authority  to  operate. 
According  to  the  designated  approving  authority  for  WHS,  WHS  was  operating 
without  an  interim  authority  from  August  7,  1997,  through  October  6,  1997.  In 
the  absence  of  a  signed  statement  of  accreditation,  an  interim  authority  to 
operate  should  be  obtained.  (An  interim  authority  to  operate  can  be  obtained  in 
90-day  increments  up  to  1  year.)  WHS  is  currently  using  the  interim  system 
that  should  be  accredited  by  the  desigi^ted  approving  authority  to  indicate  that 
due  care  has  been  taken  to  protect  the  information  in  the  system.  A 
reaccreditation  will  be  required  when  the  target  system  is  operational  if  changes 
to  die  interim  system  will  affect  the  accredit^  safeguards  or  the  prescribed 
security  requirements.  As  a  result,  WHS  has  no  assurance  that  its  CSU  systems 
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are  approved  to  operate  using  a  prescribed  set  of  safeguards  at  an  acceptable 
level  of  risk  and  that  CSUs  have  taken  due  care  to  protect  the  information  in  the 
system. 

General  Information  Assurance  Training  and  Awareness.  The  Directive 
states  that,  as  a  minimum  security  requirement,  a  training  and  awareness 
program  must  be  in  place  for  the  security  needs  of  all  persons  accessing  die 
automated  information  system.  The  security  training  and  awareness  program 
should  ensure  that  all  persons  responsible  for  the  automated  information  system 
or  information  in  it  and  all  persons  who  access  the  automated  information 
system  are  aware  of  operational  and  security  related  procedures  and  risk. 
Although  security  awareness  briefings  for  new  users  were  conducted,  security 
management  personnel  and  users  of  the  DCPDS  at  WHS  have  not  received 
periodic  annual  training  in  computer  security  awareness,  and  an  information 
assurance  training  and  awareness  program  with  annual  refresher  classes  was  not 
implemented  Until  recently,  management  did  not  emphasize  the  importance  of 
information  systems  security  training  and  awareness.  According  to  the 
Information  Systems  Security  Officer,  an  annual  training  program  in  computer 
security  awareness  had  not  been  developed  because  of  other  higher  priority  job 
aggignmnnts  and  insufficient  time  available  for  developing  such  a  program.  For 
example,  until  recently,  the  routine  job  responsibilities  of  the  Information 
Systems  Security  Officer  included  writing  contract  statements  of  work,  meeting 
daily  with  the  contractors,  preparing  information  technology  budget 
submissions,  attending  the  information  technology  budg^  meetings  and 
briefings,  maintaining  and  continuously  iqidating  the  inventory  (^tabase,  acting 
as  the  network  manager,  and  performing  additional  duties  as  assigned.  One  of 
the  additional  duties  assigned  was  the  appointment  as  Information  Systems 
Security  Officer  that,  because  it  was  assigned  as  an  addition^  duty,  did  not  get 
the  attention  needed  to  implement  it  as  an  adequate  information  assurance 
training  and  awareness  program.  As  a  result,  WHS  has  no  assurance  that 
security  management  personnel  and  users  have  the  conqiuter  security  awareness 
necessary  to  promote  a  secure  system  environment.  According  to  the  General 
Services  Administration  Interagency  Training  Center,  lack  of  awareness  is  one 
of  the  major  causes  of  damage  to  Federal  Government  computer  operations. 

The  lack  of  awareness  of  computer  users  concerning  the  types  of  treats  tot  can 
cause  (h^ge,  and  the  vulnerabilities  tot  permit  them  to  cause  damage,  is  the 
primary  problem.  Awareness  and  planned  responses  to  abnormal  events  can 
dramatically  reduce  the  incidence  of  all  otor  problems. 


Coordination  With  DoD  Components  on  Training 
Requirements 

The  DCPDS  functional  and  acquisition  program  managers  did  not  coordinate 
with  WHS  in  regard  to  providi^  training  requirements  for  designated  security 
personnel,  such  as  the  Information  Systems  Security  Manager,  to  Information 
Systems  Security  Officer,  to  Network  Administrator,  and  the  System 
Administrator  for  to  DCPDS.  The  Information  Systems  Security  Officer,  to 
Network  Administrator,  aixl  to  System  Administrators  at  WHS  were  not 
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adequately  trained  to  perform  their  duties.  For  example,  event  audit  logs  were 
rarely  used  because  the  Network  Administrator  was  not  trained  on  how  to  use 
them  without  an  overload  of  information  that  would  eventually  shut  down  the 
system.  The  lack  of  coordination  with  WHS  and  lack  of  training  requirements 
^ddrftjgsing  systcm-specific  responsibilities  for  securiQr  personnel  coidd 
compromise  the  security  position  of  the  RSCs  and  CSUs  processing  personnel 
data.  As  a  result,  required  information  assurance  controls  w^  not  in  place. 
Widiout  those  controls,  WHS  can  not  ensure  the  confidentiality,  integri^,  and 
availabdity  of  more  than  10,000  personnel  records. 


Corrective  Actions  Taken  or  Planned 

In  September  1997,  in  an  effort  to  comply  with  all  aspects  of  die  required 
security  laws,  WHS  obtained  security  so^are  that  will  work  with  its  recently 
purchased  foewall.  The  security  software  will  be  used  to  manage  and  audit  idl 
servers  on  the  network.  Implementing  the  security  tools  will  allow  the  WHS 
information  tecimology  managers  to  establish,  manage,  and  enforce  DoD, 

Office  of  die  Secretary  of  Defense,  and  directorate  information  technology 
security  policies,  while  providing  a  framework  for  integrating  systems  security 
functions.  The  security  software  will  be  used  to  monitor  systems  sec^ty,  detect 
suspicious  actions  as  well  as  patterns  of  ^use,  and  respond  automaticaUy 
according  to  established  security  policies.  WHS  plans  to  use  the  security 
software  features  to  perform  a  systems  security  risk-and-vulnerability 
assessment. 

The  Information  Systems  Security  Officer  at  WHS  is  curtendy  incorporating  an 
annual  mandatory  computer  security  awareness  training  course.  The  course  will 
be  conducted  at  least  aimually,  in  accordance  with  the  Computer  Security  Act  of 
1987,  and  will  highlight  and  summarize  the  contents  of  ^  automated 
information  system  security  plan.  Also,  WHS  plans  to  disseminate  monthly 
bulletins  from  the  National  Institute  of  Standards  and  Technology  that  address 
computer  security. 


Conclusion 

The  DCPDS  functional  and  acquisition  managers  did  not  coordinate  with  WHS 
about  providing  training  requirements  for  desi^iated  security  personnel  for  the 
DCPDS.  Personnel  designated  as  the  Information  Systems  Setprity  Manager, 
the  Information  Systems  Security  Officer,  the  Network  Administrator,  and  the 
System  Administrator  neither  received  nor  attended  any  system-sproific 
information  assurance  training  addressing  their  roles  and  responsibilities. 

Despite  DoD  requirements  and  guidance  provided  by  the  DCPDS  Acquisition 
Program  Manager,  neither  WHS  RSC  nor  its  CSUs  --  WHS,  Joint  Staff,  and  the 
On-Site  Inspection  Agency  --  conducted  a  risk  analysis  to  identify  security  risks. 
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determine  their  magnitude,  and  identify  areas  needing  safeguards  or 
accreditations  to  their  workstations  to  support  DCPDS  ceitMcation  and 
accreditation. 

Also,  other  information  assurance  controls  such  as  a  security  plan,  a 
contingency  plan,  a  systems  security  test  and  evaluation,  and  a  signed  statement 
of  accreditation  by  the  designated  approving  authority  were  not  always 
developed,  completed,  and  implemented. 


Management  Comments  on  the  Finding  and  Audit  Response 


The  Director,  Washington  Headquarters  Services,  and  the  Department  of  the 
Air  Force  commented  on  the  finding.  Aldiough  not  required  to  comment,  the 
Director,  Civilian  Personnel  Management  Service,  also  commented  on  the 
finding.  We  revised  the  finding  as  necessary.  A  summary  of  those  comments 
and  our  reqKwise  is  in  Appendix  E.  The  full  text  of  the  comments  is  in  Part  HI 


Recommendations,  Management  Comments,  and  Audit 
Response 

Revised  Recommendation.  As  a  result  of  management  comments,  we  revised 
draft  Recommendation  l.c.  to  clarify  the  nature  of  actions  needed  to  improve 
the  information  assurance  program  for  DCPDS. 

1.  We  recommend  that  the  IKrector  for  Personnd  and  Security, 
Washington  Headquarters  Sorvices,  direct  the  appropriate  security 
personnel  to: 

a.  conduct  a  risk  analysis  for  its  organization  to  identify  and  define 
overaU  system  threats  and  vulnerabilities. 

Washington  Headquarters  Sorices  Comments.  WHS  concurred,  stating  that 
a  risk  ai^ysis  for  the  WHS  RSC  was  conducted  on  October  1,  1997.  A  copy 
was  provided  to  the  Audit  Team  Leader  on  December  31,  1997,  after  the  draft 
report  was  issued. 

b.  conduct  a  systems  security  test  and  evaluation. 

Washington  Headquarters  Services  Comments.  WHS  concurred,  stating  that 
a  systems  test  and  evaluation  on  the  WHS  RSC  information  technology 
inf^tructure  will  be  completed  by  the  end  of  the  third  quarter  FY  1998. 
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c.  establish  a  memorandum  of  agreement  with  the  customer  support 
units  that  access  the  regional  database.  The  memorandum  of  agreement 
should  require  the  customer  support  units  to  complete  a  security  plan, 
contingency  plan,  and  system  accreditation  and  to  conduct  a  risk  analysis 
and  systems  test  and  evaluation. 

Wadiington  Headquarters  Services  Comments.  WHS  nonconcurred  udth 
draft  report  reconunendation,  stating  that  no  command  and  control  relationship 
exists  between  die  WHS  RSC  and  the  CSUs  and  that  each  CSU  is  responsible 
for  completing  its  own  security  plan,  security  policy,  contingency  plan,  and 
system  accreditation  and  for  coiriucting  a  risk  analysis  and  systems  test  and 
evaluation.  Each  CSU  is  responsible  to  its  designated  approving  authority  for 
obtaining  approval  to  operate.  The  introduction  of  die  DCPDS  client  software 
into  the  information  technology  environment  of  each  CSU  should  trigger  the 
information  technology  managers  to  conduct  a  new  risk  analysis  and  obtain  an 
updated  approval  from  the  respective  designated  approving  authority.  Because 
WHS  has  no  relationship  with  the  CSU  command  stmctuie,  other  Aan 
providing  human  resource  management  support,  no  authority  currently  exists  for 
\^S  to  conduct  an  independent  risk  analysis  of  any  of  its  customers’ 
workstations  or  other  information  technology  components. 

Audit  Response.  The  WHS  comments  are  partially  responsive.  Despite  the 
lack  of  a  command  and  control  relationship  between  the  WHS  RSC  and  the 
CSUs,  risks  exist  in  relation  to  the  integrity,  availability,  and  confidentiality  of 
personnel  data  processed  using  die  DCPDS,  and  need  to  be  addressed. 

Although  each  CSU  is  responsible  for  con^leting  its  own  security  plan,  security 
policy,  contingency  plan,  tystem  accreditation,  nsk  analysis,  and  systems  test 
and  evaluation  for  its  information  technology  environment,  Ae  CSUs  can  access 
the  WHS  RSC  regional  database,  which  processes  more  than  10,000  persormel 
records.  The  WHS  RSC  should  seek  assurance  that  the  CSUs  haVe  adequately 
implemented  security  within  their  information  technology  environments.  We 
have  revised  our  recommendation  to  have  WHS  establish  a  memorandum  of 
agreement  with  the  CSUs  that  access  the  regional  database  to  obtain  assurance 
that  the  CSUs  complete  a  security  plan,  contingency  plan,  and  tystem 
accreditation  and  that  they  conduct  a  risk  analysis  and  systems  test  and 
evaluation.  The  recommendation  is  not  implying  that  WHS  ronqil^  required 
security  documentation  or  conduct  an  indepe^ent  risk  analysis  for  its  CSUs. 
The  memorandum  of  agremnent  should  be  used  as  a  tool  for  obtaining  assurance 
that  die  CSUs  have  adequately  implemented  security  and  are  exempl^ing  good 
security  practices  before  fielding  new  interim  system  software  releases  airi 
granting  the  CSUs  access  to  the  regional  database.  We  request  that  WHS 
provide  comments  on  the  revised  recommendation. 

2.  We  recommend  that  the  Technical  Director,  Directorate  of  Personnel 
Data  Systems,  Air  Force  Personnel  Center,  develop  and  implement 
procedures  to  coordinate  with  Washington  Headquarters  Services  and  its 
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f^^stOIner  support  units  and  other  DoD  Components  on  establishing  system- 
specific  training  requirements  for  designated  security  personnel  for  the 
Defense  CiTilian  Personnel  Data  System  information  assurance  program. 

Department  of  the  Air  Force  Comments.  The  Department  of  the  Air  Force 
concurred,  stating  that  in  conjunction  with  the  Civilian  Personnel  Management 
Service,  t^  DCPDS  acquisition  program  management,  is  developing  a  System 
Security  Annex  to  the  DCPDS  Training  Support  Plan.  The  Annex  will  be 
provided  to  DoD  Components  to  plan,  develop,  and  execute  training  strategies 
for  hmctional  and  technical  personnel  involved  in  the  operations  of  &e  DCPDS. 
The  Annex  will  also  contain  the  knowledge,  skills,  abilities,  and  training 
requirements  for  network  security  officers  and  users  at  all  operational  levels. 
The  System  Security  Annex  was  scheduled  to  be  completed  by  July  1998. 
Additionally,  starting  in  May  1998,  the  DoD  Components  will  be  required  to 
brief  the  status  of  their  risk  analysis  and  operation^  certifications  at  DCPDS 
Computer  Security  Wortog  Group  meetings. 
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Appendix  A.  Audit  Process 


Scope  and  Methodology 

We  conducted  an  on-site  review  of  information  assurance  policies,  procedures, 
and  practices.  We  reviewed  the  information  planning  documents  such  as  the 
security  policy,  security  plan,  risk  analysis,  contingency  plan,  and  security  test 
and  evaluation  dated  from  August  1991  through  November  1997.  We 
determined  whether  systems  access  controls,  physical  ^curity,  and  security 
training  and  awareness  programs  were  develop^  and  in^lemented.  We 
reviewed  user,  system,  and  network  administrator  securiQr  practices.  We 
identified  and  interviewed  key  security  personnel  such  as  the  Information 
Systems  Security  Manager,  Information  Systems  Security  Officer,  System 
Administrator,  Network  Administrator,  and  DCPDS  managers.  We  conducted 
interviews  to  determine  the  level  of  training  provided  for  DCPDS,  personnel 
process  improvements  software  applications,  and  information  assiumice.  We 
did  not  rely  on  computer-processed  data  to  accomplish  the  overall  audit 
objective. 

Scope  Limitation.  We  did  not  evaluate  the  security  of  network  and 
communications  infrastructure  because  DoD  resources  were  not  available  to 
conduct  vulnerability  assessments. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD  and  the  Federal  Government.  Further  details  are 
available  upon  request. 

Audit  Period  and  Standards.  We  performed  this  economy  and  efficiency 
audit  from  June  through  November  1997  in  accordance  with  auditing  stan^ds 
that  the  Comptroller  General  of  the  United  States  issued,  as  implemented  by  the 
Inspector  General,  DoD.  Accordingly,  we  included  tests  of  management 
controls  consider^  necessary. 
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Management  Control  Program 


DoD  Directive  5010.38,  “Management  Control  (MC)  Program,”  August  26. 
1996,  requires  DoD  organizations  to  implement  a  comprehensive  system  of 
management  controls  that  provides  reasonable  assurance  that  programs  are 
operating  as  intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  the  Managonent  Control  Program.  We  reviewed  the 
WHS  tnanagftmPint  contTols  as  tiiey  related  to  the  DCPDS  information  assui^ce 
program.  Specifically,  we  reviewed  WHS  controls  for  security  planning,  risk 
analysis,  and  security  management  for  DCPDS.  We  also  reviewed 
management’s  self-evaluation  for  those  controls. 

Adequacy  of  Managonent  Controls.  We  identified  material  management 
control  weaknesses  for  WHS,  as  defined  by  DoD  Directive  5010.38.  The 
mntmis  for  information  assurance  were  inadequate  to  ensure  the  confidentiality, 
integrity,  and  availability  of  the  information  stored  on  and  processed  by 
DCPDS.  The  recommendations  in  this  report,  if  implemented,  will  improve  the 
controls  for  protecting  DCPDS.  A  copy  of  this  report  will  be  provided  to  the 
senior  official  responsible  for  management  controls  at  WHS  and  the  Air  Force 
Personnel  Center. 

Adequacy  of  Management’s  Self-Evaluation.  Management  did  not  identify 
the  DCPDS  program  or  the  computer  security  as  an  assessable  unit  and, 
therefore,  did  not  identify  or  report  the  material  mmgement  control 
weaknesses  identified  by  the  audit.  Management  did  not  conduct  an  evaluation 
for  FY  1996.  Management  did  not  reevaluate  all  assessable  units  to  ensure  that 
the  management  controls  are  addressed  for  all  risk  areas  in  the  Personnel  and 
Security  Division  after  the  regionalization  efforts  in  FY  1996,  as  they  planned. 
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General  Accounting  Office 

GAO  Report  No.  AlMD-96-144  (OSD  Case  No.  1213),  ^DoD  General 
Computer  Controls:  Critical  Need  to  Greatly  Straagtten  Computer  Security 
Program,”  September  30, 1996,  The  report  discusses  the  General  Accounting 
Office  evaluation  of  the  general  computer  controls  at  several  large  Navy  and 
Marine  Corps  computer  installations  and  at  selected  Defense  Information 
Systems  Agency  megacenters.  The  r^ort  notes  security  weaknesses  that  would 
aUow  hackers  and  legitimate  users  to  improperly  access,  modify,  or  destroy 
sensitive  DoD  data.  Tbe  report  recommended  a  centralized  security  management 
program  with  deffiied  responsibilities,  periodic  reviews,  and  monitoring  and 
reporting  improvement  actions.  DoD  management  concurred  with  all  Hudings 
ai^  recommendations. 

GAO  Report  No.  AlMD-96-84  (OSD  Case  No.  1150),  ^^Information 
Security:  Computer  Attacks  at  Department  of  Defense  Pose  Increasing 
Risks,”  May  22,  1996.  The  report  discusses  the  General  Accounting  Office 
review  of  the  extent  to  which  DoD  computers  are  being  attacked,  the  potential 
for  damage,  and  the  challenges  faced  in  responding  to  the  attacks.  The  General 
Accotmting  Office  itoted  diat  attacks  are  increasing  and  damaging  and  are  a 
threat  to  national  security.  The  General  Accounting  Office  concluded  that 
policies  are  out  of  date  and  inconsistent  and  that  many  users  are  not  aware  of  the 
magni^e  of  the  problem.  The  report  recommended  that  the  Secretary  of 
Defense  strengthen  the  DoD  information  systems  securi^  program  by  improving 
policies  and  procedures,  increasing  user  awareness,  setting  standards,  monitoring 
security,  and  establishing  responsibility  and  accountabili^.  DoD  management 
agreed  with  the  report’s  findings  and  recommendations. 


Office  of  the  Inspector  General,  DoD 

Report  No.  98-127,  ^'Information  Assurance  of  the  Defense  Civilian 
P^onnel  Data  System  -  Navy,”  April  29,  1998.  The  audit  objective  was  to 
evaluate  the  adequacy  of  information  assurance  for  DCPDS  as  it  related  to  the 
Navy.  Specffically,  the  audit  evaluated  DCPDS  security  planning,  risk  analysis, 
and  securiQr  management.  The  report  concludes  that  the  Navy  Pacific  Region 
and  two  of  its  three  human  resources  offices  have  made  DCPDS  information 
assurance  a  high  priority  and  have  computer  security  programs  in  place. 
However,  at  the  beginning  of  the  audit,  its  Human  Resoiux:es  Office  Marine 
Corps  Base  Hawaii  Kaneohe  Bay  did  not  have  a  security  program  in  place.  As  a 
result  of  the  iiiadequate  information  assurance  controls  at  Human  Resources 
Office  Marins  Corps  Base  Hawaii  Kaneohe  Bay,  the  Navy  cannot  ensure  the 
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confidentiality,  integrity,  and  availability  of  more  than  209,000  Navy  and 
Marine  Corps  civdian  personnel  records.  The  Human  Resources  Office  Marine 
Corps  Base  Hawaii  Kaneohe  Bay  has  taken  corrective  action  during  the  audit  by 
developing  a  security  policy  and  interim  authority  to  operate  and  by  conducting  a 
system  security  test  and  ev^uation.  It  has  also  appointed  key  security 
management  positions  and  established  a  risk  analysis  safeguard  checldist  to 
identify  and  define  overall  system  threats  and  vulnerabilities  for  the  con^uters 
that  run  the  Defense  Civilian  Persoimel  Data  System,  and  it  has  initiated  ongoing 
security  awareness  training  in  accordance  with  the  Computer  Security  Act  of 
1987.  The  report  recommended  that  the  Human  Resources  Office  Marine  Corps 
Base  Hawaii  ICaneol^  Bay  in^rove  die  adequacy  of  its  Defense  Civilian 
Personnel  Data  System  information  assurance  program  by  completing  an  overall 
security  plan  and  a  contingency  plan.  The  Department  of  the  Navy  concurred 
with  the  recommendations  aiKl  has  initiated  needed  actions. 

Report  No.  98-082,  ‘‘Information  Assurance  of  the  Defense  Civilian 
Personnel  Data  System,”  February  23,  1998.  The  audit  objective  was  to 
determine  the  adequacy  of  the  information  assurance  program  for  major 
automated  information  systems,  specifically  to  evaluate  DCPDS  security 
planning,  risk  analysis,  and  security  management.  The  report  concludes  that  the 
DCPDS  information  assurance  program  did  not  have  adequate  controls  in  place 
to  safeguard  DCPDS  data  and  resources.  As  a  result,  DCPDS  1^  high  risks  for 
unauthorized  system  access,  intentional  and  unintentional  alteration  and 
destruction  of  data,  aixi  deriial  of  service  to  authorized  users.  The  report 
recommended  Strengthened  oversight  and  management  of  DCPDS  information 
assurance.  Also,  the  report  recommended  the  establishment  of  information 
assurance  functional  requirements  and  the  implementation  of  information 
assurance  measures  to  protect  DoD  civilian  personnel  data.  The  Director, 
Civilian  Personnel  Management  Service,  stated  that,  by  acquiring  C-2  compliant 
system  hardware  and  software,  no  perceivable  threats  would  Ite  in  the  DCPDS 
processing  environment  that  must  Ite  countered  by  system  design.  In  addition, 
the  Director  stated  that  a  computer  security  response  team,  representing  the 
Major  Automated  Information  Systems  Review  Council,  identified  risks  to 
DCPDS  t^ugfa  a  facilitated  risk  assessment  program,  and  the  acquisition 
program  manager  is  developing  an  action  plan  to  mitigate  program  risks.  The 
Director  nonconcuiied  with  a  ^aft  recommendation  to  revise  tiie  operational 
requirements  document  to  include  validated  threat  information  and  also 
nonconcuiroi  with  Ae  threat  requirements  and  funding  to  protect  the  DoD 
civilian  data.  The  Director  stated  that  the  facilitated  risk  analysis  provided  a 
comprehensive  list  of  threats  and  is  a  more  appropriate  analysis  for  the  DCPDS. 
The  Director  also  stated  tiiat  he  does  not  recognize  coordination  with  the 
acquisition  program  manager  as  a  problem  and  that  tiiere  are  no  funding 
deficiencies  for  protecting  DoD  civilian  personnel  data.  The  Director  agreed 
with  the  reconunendation  to  coordinate  and  approve  a  certification  and 
accreditation  plan  to  protect  the  DCPDS  and  commented  that  his  office  is 
detenmning  which  organizational  component  will  serve  as  the  operating  DCPDS 
designated  jq)proving  authority.  Air  Force  management  and  the  Assistant 
Secretary  of  Defense  (Conunand,  Control,  Communications,  and  Intelligence) 
management  agreed  with  the  report’s  findings  and  recommendations. 
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Report  No.  98-024,  “Security  Controls  Over  Systons  Servii^  the  DoD 
Personnel  Security  Program,*’  Novmber  19, 1997.  The  audit  objective  was 
to  evaluate  security  controls  over  the  computer  system  serving  die  DoD 
personnel  security  program,  which  the  Defense  Investigative  Service  administers. 
The  report  states  that  &e  Defense  Investigative  Service  did  not  have  adequate 
controls  to  protect  personnel  security  systems  and  data  from  compromise. 
Therefore,  the  Defense  Investigative  Service  cannot  ensure  that  unauthorized 
individuals  can  be  prevented  from  accessing,  modifying,  or  destroying  the  highly 
sensitive  DoD  personnel  security  information  that  it  administers.  The  report 
recommended  die  Defense  Investigative  Service  communicate  qiecifrc  security 
requirements,  modify  Memorandums  of  Agreement  and  contracts  to  include 
system  security,  develop  and  implement  access  control  policies,  isolate  critical 
resoimtes  in  the  system  architecture,  and  improve  physical  security.  The 
Defense  Investigative  Service  did  not  a^ee  with  the  overall  characterization  of 
its  system  security  status,  but  agreed  with  all  recommendations  and  initiated 
responsive  actions. 

Report  No.  PO  97-049,  “DoD  Management  of  Information  Assurance 
Efforts  to  Protect  Automated  friformation  Systems,**  September  25, 

1997.  The  audit  objective  was  to  determine  the  effectiveness  of  DoD 
management  of  information  assurance  efforts  to  protect  automated  information 
systems.  The  report  concludes  that  the  security  safeguards  and  practices  that 
protect  DoD  automated  information  systems  need  improvement.  Inefficient  and 
ineffective  implementation  of  the  Defense-Wide  Information  Systems  Security 
Program,  outdated  policies  and  procedures,  inadequate  direction  and  oversight, 
and  lack  of  accoimtability  for  infonnation  systems  security  management  controls 
contributed  to  the  inadequate  security  safeguards.  The  report  recommended 
developing  procedures  to  detennme  the  Defense  information  infrastructure’s 
security  posture,  developing  an  information  assurance  strategic  plan,  and 
incorporating  accountabilify  requirements  for  personnel  responsible  for 
safeguarding  DoD  automat  Mormation  systems.  The  Acting  Assistant 
Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
generally  concurred  with  the  finding  and  reconunendations  and,  in  coordination 
with  die  Services,  Joint  Staff,  and  Defense  agencies,  was  establishing  an 
integrated  management  process  to  extend  DoD  oversight  of  information 
assurance  programs  and  activities  to  all  DoD  Components. 


Air  Force  Audit  Agency 

Project  No.  96054027,  “Data  Communications  Securify,**  April  15, 

1997.  The  audit  objective  was  to  determine  whether  the  Air  Force  adequately 
protects  sensitive-but-unclassified  information  transmitted  over  the  Air  Force 
Internet.  The  report  concludes  that  Air  Force  systems  continued  to  transmit 
sensitive-but-unclassified  information  unprotect^  over  the  Air  Force  Internet 
because  die  Air  Force  system  managers  had  not  conducted  a  risk  analysis.  Users 
and  system  managers  of  5  of  the  11  systems  examined  were  not  aware  of  the 
increased  risk  of  using  the  Air  Force  Internet  or  of  die  sensitive  nature  of  the 
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infonnation.  The  Air  Force  Audit  Agency  recommended  a  risk  analysis  for  each 
system  to  identify  the  current  risks  of  transmitting  sensitive-lmt-unclassified 
infonnation  over  the  Air  Force  Internet,  as  well  as  emphasizing  protection 
requirements  to  the  designated  approving  authorities.  Air  Force  management 
officials  agreed  with  the  overall  audit  results  and  plaimed  responsive  actions. 

Project  No.  93058001,  “Review  of  Personnel  Concept  IH  System  Security 
and  Equipment  Management,**  April  3, 1995.  The  audit  objective  was  to 
determine  whether  selected  security  and  control  procedures  were  properly 
implemented  in  the  Personnel  Concept  HI  computer  system.  The  report 
concludes  that  the  Air  Force  did  not  implement  adequate  security  access 
protection  for  the  system  and  did  not  properly  account  for  computer  equipment. 
The  Air  Force  Audit  Agency  recommended  implementing  separation-oMuty 
requirements,  maintaining  consolidated  accreditation  databases,  identifying 
system  threats  and  areas  requiring  additional  protection,  and  implementing 
proper  control  and  audiorization  of  passwords.  Air  Force  management  officials 
agreed  with  the  overall  audit  results  and  planned  responsive  actions. 


Other  Related  Coverage 

Defense  Science  Board  Task  Force,  “Information  Warfare-Defense  (IW-D),*’ 
November  21, 1996.  The  Defense  Science  Board  Task  Force  was  established  to 
study  the  protection  of  information  interests  of  national  importance  through  a 
credible  information  warfare  defensive  capability.  The  r^ort  concludes  that 
action  is  needed  to  defend  against  possible  information  warfare  attacks  against 
DoD  systems  that  could  affect  the  ability  of  DoD  to  ca^  out  its  responsibilities. 
The  task  force  recommended  50  actions  ranging  ftom  identification  of  a  focal 
point  within  DoD  for  infonnation  warfare  activities  to  allocation  of 
approximately  $3  billion  over  the  next  5  years  to  im|)lement  recommendations. 

Joint  Security  Commission,  “Redefining  Security,**  February  28,  IS^.  The 
Joint  Security  Commission  report  addresses  the  processes  used  to  formulate  md 
implement  security  policies  in  DoD  and  the  intelligence  community.  The  Joint 
Security  Commission  concluded  that  the  clearance  process  was  needlessly 
complex,  cumbersome,  and  costly.  The  Joint  Security  Commission  made 
recommendations  to  create  a  new  policy  stmcture,  enhance  security,  and  lower 
cost  by  avoiding  duplication  and  increasing  efficiency. 
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Federal  and  DoD  organizations  have  published  numerous  definitions  for  terms 
to  describe  conditions,  events,  and  key  officials  involved  with  safeguarding 
automated  information  systems.  We  primarily  used  definitions  from  DoD 
Directive  5200.28,  “Security  Requirements  for  Automated  Information 
Systems,”  March  21,  1988,  and  definitions  from  odier  guidance  authorized  by 
tlkt  Directive. 

Accreditation.  Accreditation  is  the  formal  declaration  by  a  desisted 
approving  authority  diat  a  system  is  approved  to  operate  in  a  particular  security 
mode  using  a  prescribed  set  of  safeguards  at  an  acc^table  level  of  risk. 
Accreditation  is  t^  official  management  authorization  for  operation  of  an 
information  system  and  is  based  on  the  certifrcation  process  as  well  as  other 
management  considerations.  The  acareditation  statement  affrxes  security 
responsibility  with  the  designated  approving  authority  and  shows  that  due  care 
has  ^n  taken  for  security.  (DoD  Directive  5200.28) 

Availability.  Availability  is  the  timely,  reliable  access  to  data  and  information 
services  for  authorized  users.  (DoD  Directive  5200.40,  “DoD  Information 
Technology  Security  Certification  and  Accreditation  Process,  ”  December  30, 
1997) 

Certiflcation.  Certification  is  the  comprehensive  evaluation  of  the  technical 
and  nontechnical  security  features  of  an  information  system  and  other 
safeguards,  made  in  support  of  tiie  accreditation  process,  to  establish  the  extent 
to  which  a  particular  dedgn  and  implementation  meets  a  set  of  specified  security 
requirements.  (NSTISSr  No.  4009) 

Certification  Official.  The  certification  official  is  the  person  responsible  to  the 
designated  approving  authority  for  rasuring  that  security  is  provided  for  and 
implemented  throughout  the  life  cycle  of  an  automated  information  system, 
beginning  with  &e  concept  development  phase  through  its  design,  development, 
operation,  maintenance,  and  secure  disposal.  (DoD  Directive  5200.28) 

Confidentiality.  Confidentiality  is  the  assurance  that  information  is  not 
disclosed  to  unauthorized  entities  or  processes.  (NSUSSI  No.  4009) 

Contingentty  Wanning.  Contingency  plans  are  developed  and  tested  in 
accordance  with  Office  of  Management  and  Budget  Circular  A- 130  to  ensure 
that  automated  information  systems’  security  controls  function  reliably  and,  if 
not,  that  adequate  backup  functions  are  in  place  to  ensure  that  security  functions 
are  maintain^  continuously  during  interrupted  service.  If  data  are  modified  or 
destroyed,  recovery  procedures  must  be  in  place.  (DoD  Directive  5200.28) 


‘  National  Security  Telecommunications  and  Information  Systems  Security  Instruction. 
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Data  Integrity.  Data  integrity  is  the  condition  that  exists  when  date  are 
unchanged  from  their  source  and  have  not  been  accidentally  or  maliciously 
modified,  altered,  or  destroyed.  (NSTISSI  No,  4009) 

Designated  Approving  Authority.  The  designated  approving  authority  is  the 
official  with  the  authority  to  formally  assume  responsibility  for  operating  a 
system  at  an  acc^teble  level  of  risk.  The  designated  approving  authority  must 
be  at  the  oi^anizational  level,  have  the  authority  to  evaluate  the  ovei^  mission 
requirements  of  an  information  system,  and  provide  definitive  directions  to 

information  system  developers  or  owners  on  die  risk  in  the  security 
posture  of  the  system.  (DoD  Directive  5200.28) 

Information  Systems  Security  Manager.  The  Information  Systems  Security 
Manager  is  the  person  responsible  for  implementing  the  overall  security 
program  approved  by  the  designated  approving  authority.  The  Information 
Systems  Security  Manager  focuses  on  automated  information  system  security 
and  should  not  participate  in  the  day-to-day  operation  of  the  automated 
information  system.  (National  Computer  Security  Center-Technical 
Guidetine-027) 

Information  Systems  Security  Officer.  'Die  Information  Systems  Security 
Officer  is  the  person  responsible  to  the  designated  approving  authority  for 
gpsiiring  that  security  is  provided  for  and  implonented.  Specifically,  the 
Information  Systems  Security  Officer  is  to: 

•  fnaiTitain  a  plan  for  system  security  improvements  and  progress  toward 
meeting  the  accreditation, 

•  evaluate  known  vulnerabilities  to  ascertain  whether  additional  safeguards 
are  needed,  and 

•  ensure  that  audit  trails  are  reviewed  periodically.  (DoD  Directive 
5200.28) 

Pifiif  Analysis.  A  risk  analysis  is  an  analysis  of  system  assets  and 
vulnerabilities  to  establish  an  ejqiected  loss  from  certain  events  based  on 
estimated  probabilities  of  occurrence.  (DoD  Directive  5200.28) 

Security  Awareness  Training.  Mandatory  periodic  security  awareness  training 
is  required  for  all  persons  involved  in  management,  use,  or  operation  of  Federal 
computer  systems  that  contain  sensitive  information.  (Computer  Security  Act 
of  1987,  Public  Law  100-235) 

Security  Mode.  The  security  mode  is  the  description  of  the  conations  under 
which  a  system  operates,  based  on  the  sensitivity  of  the  information  prowssed 
and  the  clearance  levels,  formal  access  approvals,  and  need-to-know  of  its 
users.  The  foiu:  modes  of  operations  are  die  dedicated  mode,  system-high 
mode,  compartment  or  partitioned  mode,  and  multilevel  mode. 

(NSTISSI  No.  4009) 
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Security  Test  and  Evaluation.  A  security  test  and  evaluation  is  the 
examination  and  analysis  of  the  safeguards  recpired  to  protect  an  iitfonnation 
technology  system,  as  they  have  been  applied  in  an  operational  environment,  to 
determine  the  security  posture  of  that  system.  (NSTISSI  No.  4009) 

Threat.  A  threat  is  any  circumstance  or  event  that  has  the  potential  to  cause 
harm  to  an  information  system  in  the  form  of  destruction,  disclostire,  adverse 
modification  of  data,  or  denial  of  service.  (NSTISSI  No.  4009) 

Vulnerability.  Vulnerability  is  weakness  in  an  information  system  or  its 
components  (such  as  system  security  procedures,  hardware  design,  and 
management  controls)  that  could  be  exploited.  (NSTISSI  No.  4009) 
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Appendix  D.  Configuration  for  the  Defense 
Civilian  Personnel  Data  System 


DCPDS  Database.  The  WHS  civUian  personnel  records  are  maintained  on  the 
DCPDS  database  at  the  Air  Force  Information  Processing  Activity  located  at 
Randolph  Air  Force  Base  in  San  Antonio,  Texas.  The  DCPDS  database 
contains  more  than  750,000  civilian  personnel  records,  of  which  10,000  are 
processed  by  WHS.  The  CSU  accesses  the  regional  database  at  the  RSC,  which 
updates  the  DCPDS  database  at  Randolph  Air  Force  Base. 

DCPDS  Connectivity.  The  DCPDS  database  is  networked  to  region^  data 
bases,  which,  in  turn,  link  to  CSUs  and  agency  managers  ^  supervisors.  The 
RSC  network  is  a  Microsoft  Windows  NT  and  UNIX  Hewlett  Packard  network 
with  a  Fiber  Distribution  Data  Interface  backbone.  The  RSC  maintains  the 
regional  datflhagft  that  the  CSUs  access.  A  connection  of  the  Fiber  Distribution 
Data  Interfax  Networking  Services  from  the  router  provides  the  RSC 
connectivity  to  the  Office  of  the  Secretary  of  Defense. 

The  regional  database  server  provides  support  for  the  human  resolves 
requirements  of  the  entire  WHS  region.  The  CSUs  access  the  regional  database 
server  for  the  human  resources  information  that  is  contained  in  the  database 
resident  on  the  server.  Coimectivity  from  the  RSC  to  the  DCPDS  database  at 
Randolph  Air  Force  Base  is  provid^  through  the  Non-Classified  Internet 
Protocol  Router  Network.  The  CSUs  access  die  database  using  the  Common 
Desktop  Fjivirnnment  Runtime  sqiplication  program  from  die  CSU  workstation 
computers.  The  Common  Desktop  Environment  Runtime  application  program 
allows  the  CSU  users  to  run  the  personnel  process  improvements  application 
programs  direcdy  from  the  user  workstation  computers.  The  personnel  process 
improvements  application  programs  provide  electronic  means  to  generate,  route, 
and  process  personnel  actions;  create  and  classify  positions;  initiate,  route,  and 
track  training  requests;  and  access  current  personnel  database  and  associated 
data  from  other  functional  areas.  The  personnel  process  improvements 
applications  effectively  bypass  the  CSU  server  and  move  all  of  the  functionality 
of  the  server  onto  the  wortetation  computer.  Currently,  no  servers  are  at  the 
CSUs.  WHS  does  not  see  the  need  for  servers  at  the  CSUs  unless  die  amount 
of  data  being  processed  increases  significandy.  However,  according  to  the 
>^S  Information  Technology  manager,  depending  on  the  new  teclmical  and 
architectural  designs  for  die  target  system,  toe  final  decision  on  wither  to  place 
servers  at  toe  CSUs  will  be  determined  by  toe  Central  Design  Activity  and  the 
Civilian  Personnel  Management  Service. 
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Appendix  E.  Management  Comments  on  the 
Finding  and  Audit  Response 


The  Director,  Washington  Headquarters  Services;  the  Air  Force;  and  the 
Civilian  Personnel  Management  Service  provided  comments  on  the  finding. 

For  the  full  text  of  management  comments,  see  Part  m. 

Washington  Headquarters  Services  Comments  on  General  Information 
Assurance  Trainii^  and  Awareness.  The  Director,  WHS,  stated  diat  the 
Directorate  for  Personnel  and  Securip^,  WHS,  performs  initial  system  security 
training  for  new  employees  upon  their  entry  on  duQr.  WHS  also  conducts 
annual  rentier  training  for  ^  of  its  employees.  Adequacy  of  the  training 
materials  is  currently  u^er  review.  WHS  plans  to  have  a  completely  revised 
information  system  security  training  program  by  the  fourdi  quarter  of  FY  1998. 

Audit  Response.  According  to  the  Information  Systems  Security  Officer,  the 
computer  security  training  was  in  the  form  of  a  briefing  and  was  provided  to 
new  enrployees  only.  We  were  not  provided  data  indicating  that  computer 
security  training  was  conducted  as  an  annual  refresher  to  all  mployees. 
According  to  the  Information  Systems  Security  Officer,  an  annual  computer 
security  training  and  awareness  course  will  be  requited  for  all  employees. 
During  the  audit,  we  were  told  diat  the  Directorate  for  Personnel  and  Security, 
WHS,  was  incorporating  an  aimual  mandatory  computer  security  awareness 
course  that  would  be  conducted  in  accordance  with  die  Computer  Seciurity  Act 
of  1987.  That  corrective  action  was  noted  in  the  draft  audit  report. 

Department  of  the  Air  Force  Comments  on  Coordination  With  DoD 
Components.  The  Department  of  the  Air  Force  disagreed  with  the  part  of  the 
findii^  that  the  DCPDS  functional  and  a^isition  program  managers  did  not 
coordinate  with  WHS  about  their  respective  security  management  roles  and 
responsibilities  for  the  DCPDS  information  assurance  program. . 

According  to  the  Department  of  the  Air  Force,  DCPDS  program  managers 
coordina^  security  management  roles  and  re^nsibilides  with  DoD 
Component  project  management  through  work^  group  meetings  over  the  last 
3  years.  Chaired  by  DCPDS  function^  program  management  office,  the 
working  group  is  used  as  a  forum  to  develop  and  coordinate  security  policy, 
guidelines,  ai^  documentation  for  the  modem  DCPDS.  Additionally,  security 
management  roles  and  responsibilities  for  the  modem  DCPDS  are  specified  in 
the  modem  DCPDS  Security  Support  Plan. 

The  modem  DCPDS  Computer  Security  Working  Group  will  develop  a  security 
annex  for  the  modem  DCPDS  Training  Support  Plan.  The  annex  wul  identify 
training  requirements  for  security  personnel,  including  the  Information  Systems 
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Security  Manager,  the  Information  Systems  Security  Officer,  the  Network 
Administrator,  and  the  System  Administrator.  The  security  annex  will  also 
apply  to  the  interim  DCPDS. 

Civilian  Personnel  Management  Service  Comments  on  Coordination  With 
DoD  Components.  The  Civilian  Persoimel  Management  Service  disagreed  with 
the  finding  and  stated  that  the  Air  Force  Personnel  Center  had  coordinated  wi& 
die  DoD  Components  concerning  security  management  roles  and  responsibilities 
for  the  interim  DCPDS.  Specifically,  the  Air  Force  Personnel  Center  provided 
system  administrator  training,  manuals,  and  software  release  announcements  to 
the  DoD  Components  covering  practices  and  procedures  for  granting  access  to 
the  interim  system.  The  Civilian  Personnel  Management  Service,  as  the 
functional  proponent  for  the  DCPDS,  also  stated  that  recently  it  had  published  a 
coordinated  modem  DCPDS  policy  and  security  support  plan,  which  define  the 
respective  security  management  roles  and  responsibilities  for  the  modem 
DCPDS. 

The  Civilian  Personnel  Management  Service  agreed  with  the  finding  in  that  the 
DCPDS  functional  and  acquisition  program  managers  did  not  provide  any 
training  requirements  for  Ae  designated  security  personnel  such  as  the 
Information  Systems  Security  Manager,  the  Information  Systems  Security 
Officer,  the  Network  Administrator,  and  the  System  Administrator  for  the 
DCPDS.  According  to  the  Civilian  Personnel  Management  Service,  trai^g 
requirements  for  designated  security  personnel  using  the  legacy  and  interim 
DCPDS  were  not  provided.  The  modem  DCPDS  Computer  Sec^ty  Working 
Group  will  develop  a  security  annex  for  the  modem  DCPDS  Training  Support 
Plan.  The  annex  will  identify  training  requirements  for  security  personnel, 
including  the  Information  Systems  Security  Manager,  the  Information  Systems 
Security  Officer,  the  Network  Administrator,  and  the  System  Administrator. 

The  security  annex  will  also  apply  to  the  interim  DCPDS. 

Audit  Response.  The  draft  report  stated  that  die  DCPDS  functioi^  and 
acquisition  program  managers  did  not  coordinate  with  WHS  in  their  respective 
security  management  roles  and  responsibilities  for  the  DCPDS  information 
assurance.  The  statement  was  not  meant  to  imply  that  the  Air  Force  Personnel 
Center  did  not  coordinate  with  the  DoD  Components  by  providing  system 
administrator  training,  manuals,  and  software  release  announcements  to  the 
DoD  rnmpnnents*  program.  Instead,  intent  was  to  emphasize  the  lack  of 
coordination  wi&  DoD  Components  regarding  the  establishment  of  training 
requirements  for  designated  security  personnel.  To  eliminate  confusion,  we 
have  revised  the  finding  and  clarified  the  report  to  emphasize  the  lack  of 
coordination  for  training  requirements  for  DoD  Components. 
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Department  of  the  Air  Force  and  Civilian  Personnel  Management  Service 
Comments  on  the  Ifoecutiye  Summary  and  Audit  Background.  The 
Department  of  the  Air  Force  and  the  Director,  Civilian  Personnel  Management 
Service,  stated  that  the  language  used  in  those  elements  of  the  audit  report  may 
confuse  readers  because  it  does  not  distinguish  between  the  legacy  DCPDS  and 
the  modem  DCPDS. 

Audit  Response.  We  revised  the  language  used  in  the  executive  summary  and 
Audit  Background  to  distinguish  between  the  legacy  DCPDS  and  the  modem 
DCPDS. 
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Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition  and  Technology 
Director,  Defense  Logistics  Studies  Information  &cchange 
Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
Under  Secretary  of  Defense  for  Personnel  and  Readiness 

Deputy  Assistant  Secretary  of  Defense  (Civilian  Personnel  Policy) 

Director,  Civilian  Personnel  Management  Service 
Assistant  S«:retaiy  of  Defense  (Public  Affairs) 

Director,  Administration  and  Management 
Director,  Washington  Headquarters  Services 
Director  for  Personnel  and  Security 
Director,  On-Site  Inspection  Agency 
Director,  Joint  Staff 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 

Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 

Auditor  General,  Department  of  the  Navy 

Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 
Commander,  Air  Force  Persoimel  Center 

Technical  Director,  Directorate  of  Personnel  Data  Systems,  Air  Force  Personnel 
Center 
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Other  Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Information  Systems  Agency 
Director,  Defense  Logistics  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 

Non-Defense  Federal  Organizations  and  Individuals 

Office  of  Management  and  Budget  .  ,  * «  .  »>.  .  . 

Technical  Information  Center,  National  Security  and  International  Affans  Division, 
General  Accounting  Office 

Chairman  and  ranking  minority  member  of  each  of  the  following  congressional 
committees  and  subcommittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 
House  Committee  on  Governmental  Reform  and  Oversight 
House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform  and  Oversight  .... 

House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal  Justice, 
Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 
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Washington  Headquarters  Services  Comments 


OmCE  OF  THE  SECRETARY  OF  DEFENSE 
19SO  DEFENSE  PENTAGON 
WASHINGTON,  DC  2030M950 


MANAGCMKNT 


MEMORANDUM  DIRECTOR,  ACQUISITION  MANAGEMENT 

DEPARTMENT  OF  DEFENSE  INSPECTOR  GENERAL 

SUBJECT:  AtidhRqwrtOQtofoniiitioo  AismincefbrtbeDcfiascCi^^ 

Data  System  -  Wastnngtoa  Headquaxters  Servian 
{ProjectNo.  7RE-300M3) 

’pfjgifvferft  are  die  managemesl  cmnnieDts  to  the  subject  draft  Audit  report,  as 
in  yfflif  rtf  17, 1997.  Our  conmenls  reflect  our  concurrence  oi 

ItiMtingx  mnA/ttr  mvwnmftndarions.  Projected  oQsq;>tetion  dates 
for  ^lecific  actions  have  been  provided  for  each  finding 'With  ^wfaich  we  concur.  Where 

we  have  nooccwcuned  with  your  findings  and/or  recommcndatioiis,  specific  nrtuHiale  and 
piopoaed  alteniaiiye  acdoas  have  been  provided. 

Issues  raised  in  the  draft  Audh  fcp(«  uduch  do  ncR  direedy  ^ipiy  to  Waslungto 
Headquarters  Services  have  not  been  addressed.  Specifically,  no  response  has  been  made 
to  program  rnanagementcoDcens  relating  to  the  DoD  Civilian  Personnel  Management 
Service  or  die  U.S.  Air  Foree  Personnel  Center, 

1  appreciate  the  opporhmity  to  review  and  comment  on  your  draft  report  of  the 
audit  and  your  eonddemtioo  of  my  remarks  in  tbe  publication  of  your  final  report 
Questions  should  be  <firected  to  A.  L.  Pspenius,  (703)  697-1 703,  Ms,  Lin^ 

Dunleavy,  (703)  617-7112  or  Mr.  John  Downey,  (703)  617-71 13. 


Washington  Headquarters  Serrices  Comments 


Final  Repon 
Reference 


ftedkcn: 

*'WHS  possesses  t  security  policy^  security  plan,  and  contingeDcy  plan  a^  has 
sj^tem  access  and  ]^iysical  security  oonttols  in  place.  However,  WHS  oe^  to  tnqxove 
infonnation  assurance  for  ZX!PDS  because  it  did  not  have  the  reqjuired  infonnadon 
assurance  controls  in  place  to  do  die  following: 

a.  a  risk  analysis  for  its  organization  to  identity  and  define  overall 
system  ducats  and  vulnembilities  as  tctpiiied  by  DoD  Directive  5200.2S,  **Secittity 
Requiicoienb  for  Autoinated  Infoiniation  Systems  (Al$s),  “  Mardi^l,  1988  (The 
Directive), 

b.  complete  a  tystems  test  and  evahsadott,  or 

c.  ensure  diat  Its  CSUfooB^ilctc  a  security  plan,  contingency  plan,  and  system 
accreditation  and  ocmduct  a  risk  analysis  and  systems  test  and  evahtadoD.** 

WHSRespeasa; 

a.  Concur-ARisk  Analyds  for  the  WHS  Regional  Service  Center  (RSQ  was 
conducted  1  October  1997,  and  a  copy  jwovided  to  Ms.  Dorothy  Dixon,  Audit  Team 
Leader,  31  December  1997.  Item  complete,  no  foidier  acdon  required. 

b.  Concur -A  systems  test  and  evaluation  on  the  WHS  RSC  infonnadon 
technology  infmstructure  win  be  completed  by  die  end  of  the  3^  quarter,  FY  98. 

c.  Nonconcur- 

(1)  No  command  and  control  rdadonship  esdste  between  the  WHS  RSC 
andtheCSUs.  EadiCSUteiesponsfoleforeom^detingitiowDaecaaityplan,,^^ 
poticty,  contingency  |daii  and  tystcm  accreditdion  and  oonduct  a  risk  analysis  and 
systems  test  and  evduadon. 

(2)  As  noted  on  page  6,  in  the  section  of  your  draft  Audit  Report  outlining 
‘Responsibilities  for  DCPDS  Infonnatioo  A«umnce**,***CSU  Rcymsibnities.  ThcCSU 

systems  arehhecture  ooosists  primarily  of  a  desktop  personal  ooExqMiter  that  processes 
sensitive-biit-uDclattifieddata  To  achieve  ^ipcopriate  measures  against  threat  and 
vuinerabifities,  each  eSU  u  leqiaQnlite  for  conducting  a  risk  analysis  to  identity  most 
risks  and  threats  associated  with  each  woikstatkm  that  processes  penonrield^’*  Each 
eSU  is  tesponrible  to  their  Detignarfd  Approving  Authority  (DAA)  fbr  obtaining 
approval  to  operate.  Introdoctionofthe  DCPDS  cBeat  software  htto  their  IT 

envisooments  fooafo  trigger  dieir  rr  iiiaiii«eis  to  conduct  a  IKW  risk  analy^ 
an  updated  ivpcovalfiomdwir  respective  DAA.  Again,  since  WHS  has  im  letationdiip 
with  die  eSU  comnaiid  structse,  oftfasr  dw  m  providing  human  leaou^ 

support,  there  cmitndy  exists  no  audiority  for  WHS  to  conduct  an  hndependeat  risk 
analyris  of  aity  of  its  customers*  workstations  or  other  IT  components. 


Revised 
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Fiadiafi: 

a.  **WHS  did  cot  perfbfm  a  ride  andysisiDdssysieim  security  test  ai^ 
evaluatioa 

b.  WHS  did  not  es(d>Iisb  an  annual  minditory  security  tFUiuDg  and  awueness 
ptogram.** 

WHSHeapeoac: 

«.  Concur.  Althcaii^iiicoa^iete  vriicn  the  DoDIGccmducteddieir  audit,  a  Risk 
Analytis  has  been  ocmducted  and  was  ibranmied  to  Ms.  Dorothy  Audit  Team 

Uoderonai  December  1997.  A  Systems  Securi^  Test  and  Evaluation  will  be 
completed  NLTibe  3*^  ipiartcr.FY  199S. 

b.  NoooofKur.  Tim  Diieclocate  fa- Paiaomm!  ami  Security,  WHS,  performs 
initial  system  security  tiaimiigibr  new  employees  upon  their  entry  on  duty.  Annual 
refiedierttaming  is  also  omdiicted  for  all  WHS  DPftS  employe  Ad^uacyoftte 
training  materiab  is  cuRtotly  laidcr  review.  It  is  planned  lytiie  beginning  of  died” 
quarter,  FY  98,  to  have  a  completely  levised  infbnnatio^  system  security  tziining 
program. 

Witti  the  exceptioD  of  the  eSU,  the  ESC  does  not  provide  general 

i]if<»matioii  system  securi^txatiung  to  CSUestiployeesacoessmg  the  DCPDS.  As  with 
the  division  of  responstbilities  relating  to  the  conduct  of  risk  analyses  and  accreditations, 
it  is  tile  lespoosibUity  of  die  CSD  and  other  customers*  FT  Qigantzations  to  provide 
infonnatioQ  assurance  trainmg  to  ttscfs.  WHS  does  provide  DCPDS  system  security 
awaitnett  education  during  customer  traimiig  for  use  of  the  Peisoaoel  Process 
Improvement  (PPQsinte.  UsenaronmhidedtoaafiBguaidtiieirpmwtmlstiid 
tbdr  user  codes  nd  passwords  witiioCbets.  With  the  implementation  ofrricaae  5.2  of 
the  PPls,  users  are  prompted  to  change  their  passwords  every  180  dq^ 


a.  ‘*Seciirity^nan**(Page8of&eAttditIU|Kirt) 


Ftedhigs: 

...**Althott^  the  On-Site  In^xctkm  Agency's  security  policy  stated  that  asystem 
aecurxty  plan  wiU  be  prq^arKl  aid  muntained  ftr  ril  automated  mfocmation  systems, 
inchating  networks  processing  classified  or  aenritive-lati-iiiidassified  infbtmati^ 
not  provide  a  completed  secuiityphm.  Witiiom  an  estebtiriied  security  plan,  tim  On-Site 
Inspection  Ageo^  has  rmasauranoe  that  it  has  developed  a  strategy  for  implementing 
informatkm  assiaanoe  oonlrob  and  a  methodology  for  vaUdatmg  security  leqoiremex^ 
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Final  Report 
Reference 


WHSRctptwie; 

WHS  can  neither  ooacar  nor  ooiiconcur  with  this  As  noted  above*  no 

f^wnmand  between  the  WHS  RSC  and  the  CSUs.  Each 

Customer  Si9poi1  Umt  b  iei|XMiiSbte  compiedng  its  own  secu^  plan,  m 

policy,  oondogeacy  plan  and  system  aocteditadon  and  oondnct  a  analysb  and 

Q^steins  test  and  evaluation  fi>r  their  own  IT  envifonmests. 

As  noted  on  page  5,  in  the  aection  of  your  DRAFT  Audit  Report  oudining 
*ltcapon»lri]itksforDCPDSIiifixmatk»Asfamnce^*‘RSCRespoBsibiBtks.  Ibe 
WHS  RSC  maintains  its  own  doinaia  and  b  ieq)on^le  Ibr  instituting  its  own  aecunty 
pcotectioD  mechaittsnis  nd  piooeduies  as  well  as  for  iiiq>iemeiitmg  Ae  minimum  security 
letjuirements  needed  for  systems  to  be  secure  in  accordance  widi  DoD  fcgulatioiis.  To 
meet  mmimum  security  lequixeoienls,  WHS  must  accredit  its  automated  infonnation 
system.  An  accreditation  b  foe  ^jpeoval  to  operate  in  a  particular  security  mode  using 
prescribed  safeguards.  Part  offoeaccreditatton  process  b  performing  a  risk  analysb  of 
system  assets  and  vulnerabilides  to  establbh  an  expected  loss  from  certain  events  based 
on  estimated  probabilities  of  occunence.'*  As  noted  above,  a  Risk  Analysb  for  foe  WHS 
RSC  was  conducted!  October  1997.  System  security  pbos  and  policy  documents  were 
submitted  to  foe  WHS  DAA.  We  have  recently  been  verbally  informed  that  our  interim 
accreditation  was  made  permanent 

As  noted  on  page  6*  in  foe  sectimi  of  your  draft  Audit  Report  outlining 
**Re^ponsibiIitim  for  DCPDS  Information  Assurance**,  H:SV  Reaponalbaitica.  Tlie 
eSU  systems  arifoilecture  consisU  imnurily  of  a  derictop  petBonal  computer  that 
|at>cesaesaensirive4iut-wlassifieddata.  To  achieve  aptnofxiam  measures  against  forest 
and  vulnerabUhies,  eadi  eSU  b  rc^easibie  for  conduct  a  risk  analysb  to  identify 
most  risks  and  foreats  associated  with  each  workstation  that  processes  personnd  data.** 

IncondusitMi,  each  CSU  b  respoorible  to  fodr  DAA  for  obtaining  approval  to 
operate.  The  foct  the  DC7DS  client  software  has  been  introduced  into  the  IT 
environments  fooidd  trigger  foe  CSlTs  rr  managers  to  conduct  a  new  riric  analysb  and 
obtain  an  updated  approval  from  their  leqiectivt  DAA.  Since  WHS  has  no  rebdonship 
with  foe  CSU  oommaad  structure,  other  than  in  providing  human  resource  management 
support,  WHS  b  in  no  position  to  gai^  foe  risks  or  threats  imposed  fay  the  iirtioductiott 
offoePFIdient  software  on  foe  CSU  IT  infiastmcbirc.  Additionally,  no  authority 
currently  exbu  for  WHS  to  conduct  an  indqiendent  riric  analysb  of  any  of  its  customers' 
woAstatioos  or  other  ITcoiiqxineats.  Recommend  your  office  address  fob  issue  directly 
toOSIA. 


*Tbe  Joint  Stafifand  foe  On*Site  Inspection  Agency  did  not  provide  oontingency 

friana.** 
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WHSRcqpottie: 

WHS  cuaetUieroooeuraorDOfiooocin' with  A#  noted  above,  no 

rv*  hetwaen  the  WHS  RSC  and  the  CSUt.  Each 

CSU  u  lespoDsOde  for  oos^Mng  Hs  Mcuity  plan,  aecurity 

plan  and  systm  accredttetion  and  conduct  a  risk  analysis  and  systems  teat  and  evalnadcMi 
for  their  own  rr  environmeats. 


Perfer 


PfaMfinfi: 

*t)a|dte  the  0oD  diiecdve  lequtriiv  a  risk  analyiU  aad  dte  fuklaiice  |»ovid^ 
tfaeOCPDS  Accpdstiofi  Pioyn  Manager,  neither  the  RSC  nor  its  ^Ua  WHS,  die 
Jomt  Staff  and  the  On-Site  ■ 

aecurityriaks,  to  deteni&aedteffmagmtiKie,  and  te  identify  areas  needing  aaftguarda.  In 
additiem,  they  did  iwt  conduct  accreditatioiis  on  tfadr  wofkstHtions  to  support  DCPDS 
certification  Mid  acciedhadojr” 


WHSKMipafoae: 

Partially  concur.  A  Riak  Analyds  for  the  WHS  RSC  waa  conducted  I  October 
1997,andaoopyprovidedtoMs.DoiodiyIXx(m,Au^  Team  Leader,  31  December 
1997.  AdfitiouUy,MB.I>ixonwiafaniishedacopyof1heOpef«ti^ 
letter  fbr  the  WHS  RSC  pfovidedl^  die  DCPDSAoquisitioQPn^jam  Manager  on 
November  1997.  lion  oooqilete^ite  hardier  acdcmieqiiditd. 

WHS  can  not  GODcm  nor  nofic»ncur  with  xc  ferencea  to  rule  aaaiyaes  being 
conducted  for  any  eSUs  other  than  WHS.  (HuRiskAiial^andaoctedttatioofbrdte 
WHS  eSU  is  included  uddithte^die  WHS  RSC.)  However,  as  it  potatna  to  the  other 
si^ported  Castomer  St9port  UbiU  and  as  noted  above,  no  oommand  and  coolrol 
leladoirii^exiate  between  the  WHS  RSC  nd  those  eSUi  EacfaCSUisrespon^blefor 
complethig  ite  own  aecurity  plan,  security  pcdicy,  oondngeocy  plan,  sysion  acoe^^ 
and  to  conduct  a  risk  anal^  and  systems  test  and  evaluation  for  dieir  own  rr 
environments. 


^yateflu  Seofftey  Teat  awl  l>aloa«iMi  (Page  10  offhe  Awfit  Repert) 

Fiadingc 

**WHS  and  ite  eSUs  provided  no  evidence  that  they  conducted  k  test  and 
evahudon  of  the  security  of  the  system.** 


r 
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"WESRupomtK 

Partially  ooDCur.  A  ^sterns  teat  and  cvahiation  on  the  WHS  RSC  and  the  WHS 
CSU  mfonnadoalediDotogyinfiaftnictttrewiU  be  completed  by  the  cimS  of  tb^  3*^ 
quarter.  PY  9S. 

As  pitviMBily  staled.  WHS  can  anther  coacw  nor  wioootictir  with  lef^^ 
risk  analyaes  being  conducted  for  any  CSUs  other  dun  WHS.  (The  Risk  Analysis  and 
accreditation  for  foe  WHS  CSU  is  included  wifodiat  of  the  WHS  RSC.)  However.asit 
pertaos  to  foe  ofoer  supported  CSUs  and  as  noted  ^ve»  no  command  and  control 
relationship  exists  between  the  WHS  RSC  and  fooseCSUs.  Each  CSU  is  responsible  for 
oompletiiig  its  own  security  plan,  security  polky,  oontiirgency  {dan,  system  aocredHation 
and  to  conduct  a  risk  analysis  and  systems  test  a^evahiation  ^tfaeirownlT 
envtrwnmcnts. 


Fiadi]^: 

^As  of  late  August,  neltlier  WHS  nor  the  On- Site  In^iecdon  Agency  had  an 
imerim  acaeditttion;  however,  in  October  1997,  WHS  requested  and  received  an 
extended  interim  aafoority  to  opeiato.  Acooidmg  to  foe  derigrnted^ipmvmg  authority 
for  WHS,  WHS  was  epenaing  wifoofm  an  interim  aufoority  from  Au^  7, 1997,  through 
Octobers,  1997.  In  foe  absence  of  asigned  statement  of  accieditatkpa,  an  Interim 
aufoority  to  operate  foould  be  obtained... .WHS  is  cuRciitly  using  foe  interim  system  that 
foould  be  accredited  by  foe  desigDiied  qiproving  authority  to  indicate  foat  due  care  has 
been  taken  to  protect  foe  infocmatioo  in  foe  system.  A  reaccxedidation  win  be  required 
wlwn  the  taiigd  system  is  t^mtional  if  chan^  to  foe  interim  system  will  affect  the 
accredited  safeguards  or  foe  prescribed  security  requirements.  As  a  result,  WHS  his  no 
sssunnoe  that  its  CSlTs  system  is  ^iproved  to  opc^  using  a  prescribed  set  of 
safegusrds  at  an  acceptable  level  of  risk  an  that  due  carp  bis  bem  taken  to  protect  foe 
informitiott  in  foe  system.** 

WHS  Response: 

Concur  wifo  this  finding  as  it  relates  to  WHS.  As  previously  noted,  bowev9,  final 
aceteditttion  bas  been  veibilly  received  by  the  DAA.  Further,  as  indicated  above, 
perceived  deficscncia  wifo  any  CSUs  should  be  addressed  to  a  particular  Customer 
Support  Unit 


FMIngK 

^...Alfoough  security  awareness  briefings  fi>r  new  users  were  conducted,  security 
management  peisofinel  and  users  oftbeDCPDS  at  WHS  have  not  received  periodic 
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anooil  tiaining  in  cooqjular  iccurity  cwiitoett,  nd  an  tufoniurtloD  assunmce 
KMlawaimitpcopam  with  innu^iefitdmclasaes  was  ixrthi^  UntU 

miMgnHMnt  did  the  import^^  ofinfematioit  tvncmt  lecaitv 

Inining  and  awtfcnett.  Aooorfing  to  the  Infonnatioa  Sytoens  Security  Officer*  an 
annual  tiamtQg  piogim  m  ooo^uter  lecurity  iwucness  hand  not  been  drvdoped 
of  other  ht^ier  priori^  job  and  msuffidest  tune  avmtiMe  for 

devdopngandi  a  program.  For  cxBnpk>«iiyreoeialy*tlw  routine  job  re^joesibaities 
of  the  Infomathm  Syileiu  Securi^  OfBoer  mehided  writing  contract  statem 
work,  meeting  daily  with  the  cootracton,  pr^aring  infocmatimi  technology  budget 
yitifyAtairw  tW*  hifownatifwi  tedm^ftgy  budget  meefoiga  and  hricfiagi. 

m«;titn{m»gff|dMBtiimmiilyti;Atiiigd^mvmtotydatibaae^actSagMfoen(etwo^ 
inanager.aodpetfotxningadditkxiiddutkaasaistgD^  One  c^foe  actional  duties 
asaigned  was  foe  iqspointnwat  as  lofocmation  Systems  Security  Officer 
1NUS  assigned  as  an  additiocial  duty,  did  not  get  foe  attention  needed  to  Implemest  it  as  an 
adequate  informatiODassiBaDceirdiiing  and  awareoess  program.  As  a  rc^t,  WHS  has 
no  assuiaaoe  foa!  security  maiuvenieiU  penomkd  and  usm  have  the  computer  secuti^ 
awareness  necessary  to  pimDOte  a  secure  system  environment** 

WHSRmpouse: 

Noacoocur.  Ahboogh  foe  Informatkm  Systems  Security  OfBccrhu  other 
ics|KmriMlxties  aaigiied  to  him,  those  duties  did  not  preclude  his  devetopixig  and 
iinidemeDtmg  a  viable  cootoiiter  security  awareness  program.  As  noted  in  the  audit 
report  security  awareiwas  biicfmgs  for  new  users  are  conductod  upon  their  enliance  on 
duty.  mptnygfe  ftf  Ae  WHS  Dirflctonte  for  Ferfsoand  and  Security 

receives  an  mual  update  brieffng  and  foese  briefings  are  documented  by  thelnfmmafiott 
Systems  Socority  OSker. 

la  addidoo  to  initial  coo^uter  security  awaresMSi  training  being  pfovided  to  all 
DPA5  enqrioyees,  WHS  personnel  also  provide  security  awareness  briefings  as  part  of 
foe  tritmE^pcoviM  to  new  useooffocDCFDSPP!!  suite.  User  muring  and  security 
briefings  are  a  prerequisite  to  leoeivuig  valid  user  logons  and  pesTMicds  to  access  the  PPI 
suite. 


On  June  19, 1997,  msn  effort  to  oon^  with  all  aqwets  of  the  required  security 
Uws,  foe  WHS  imtiiited  foe  pio^ato  of  secu^  sofomie  foil  will  work  with  its  lecendy 
purchased  firewall  The  security  software  will  be  used  to  manage  and  aufot  all  servers  on 
thenetworiL 
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WHSRctpoofc; 

Concur.  In  Se|rtmber  1997^  WHS  obciined  QmiuguardlEiueiprise  Security 
MBDCger  (ESM)  and  Onmiguttd/lbtnider  Alert  (lAX  both  from  Axent  Technologiec. 
£SM  has  been  progtxmmed  widi  the  seconly  policies  of  WHS  and  is  used  to  conduct 
periodic  autfits  of  alt  seiven  in  the  network  to  gauge  aanpltance  with  those  pcdkies. 
Rqiocts  are  provided  by  ESM  to  the  Information  Systems  Security  Officer  a^  to  senior 
managemeiU  in  WIIS  regarding  the  leralts  of  diose  audits.  ESM  analyses  for  example^ 
user  paaiwocd  strengths^  passwofd  ages,  and  loolcs  for  files  on  aerveis  which  may  be 
accessible  to  unauthorized  persons.  It  foes  makes  recommcndatioos  f<v  changes. 

Intruder  Alert  ffioohon  server  acdvifies  and,  according  to  rules  detennined  by  foe 
Information  Systems  Security  Officer,  notifies  sysl^adininistiaton  of  suspiciotis 
activities,  de^y  access  to  apparently  unauthorized  persons  attempting  to  logon  to  those 
aervers  a^  compiles  daily  reports  for  the  Information  Systems  Security  Officer. 


FhMfiBfR 

"1.  We  recommend  that  foe  Director  for  Personnei  and  Security,  Wafoington 
Headquarters  Services,  direct  the  appropriate  security  personnel  at  WHS  to: 

a.  conduct  a  risk  analysis  for  its  organization  to  identify  and  define  overall 
system  tiueats  and  vulnerabilities. 

b.  conduct  a  systems  securi^  test  and  evaluation. 

c.  ensure  foat  its  customer  support  units  complete  a  security  plan,  contingency 
plan,  and  system  accreditation  and  conduct  a  risk  analysis  and  systems  test  and 
evaluation. 

WHSRaqNmsc; 

&  Concur -A  Risk  Analyss  for  foe  WHS  RSC  was  conducted  I  October  1997,  and 
a  copy  provided  to  Ms.  poio%  Dixon,  Audit  Team  Leader,  31  December  1997.  Hem 
CQoqpilete;  no  iurfoer  action  req^sied. 

b.  Concur-  A  systems  lest  and  evaluation  on  foe  WHS  RSC  information 
technology  infiastructure  will  be  completed  by  foe  end  of  foe  3*^  quarter,  FY  9S. 

c.  Nonconcur- 

(1)  No  command  and  control  relationship  exists  between  the  WHS  RSC 
aodtheCSUs.  Each  Customer  Support  Doit  is  lesponsiUe  for  oompteting  its  own 
security  plan,  security  policy,  omitingency  plan  and  system  accreditation  and  conduct  a 
riskanalyris  and  systems  test  and  evaluation. 
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p)  As  noted  on  ptfc  6,  in  the  sectioa  of  your  draft  Audit  Rq)Oft  outlining 

*lUspons2^UitiestbrlX7DSIiifonB«doBAs^^  TheCSU 

^'sieiiis  nrcliitectttt  consists  primarily  of «  desfai^  pecs^ 
sositive-tat^incIsssifieddMa.  To  achieve  qjptopriiraineasimngs^ 
vidnenblfities,  eKh  CSU  Is  ieqx)iidUc  6r  coodiKting  a  risk 

risks  and  llotidsftssocMtedwidi  each  woikstsdonthstpiDcessespetsoiuid  Ends 
CSU  is  Ksponslbk  to  tfadrDAA  for  ohtaiidngvpiovil  to  operate.  The&ctdieDCPDS 
diem  softwara  has  been  tnciodaoed  into  ihrir  IT  envhoonienb  should 
mnnn|nima%finiidtu^n  newt  tkkaaelyiii  and  obtain  an  updated  approval  fiomdieir 
icqwctiveDAA.  Since  WHS  lutt  no  idatkioriup  with  the  CSUooaunandttrudiiie,  other 
than  in  providfatg  kniraa  teaourae  managenient  si^ipoft,  thera 
audtority  for  WHS  to  conduct  an  iadqmdern  risk  analysis  of  any  of  iU  customen’ 
woriratariozis  or  ofom  IT  components. 


Department  of  the  Air  Force  Comments 


VBPARJUEHT  OF  THE  AIR  FORCE 

HCADQUARTCflS  AIR  FORCt  COMMUNICATIONS  AND  INFORMATION  CENTER 
WASHINOTON,  DC 


5M»y9S 


MEMORANDUM  F<»  ASSISTANT  INSPECTOR  GENERAL  FOR  AUWTING 
C»nCE  OF  THE  INSPECTOR  GENERAL 
DEPARTMENT  OF  DEFENSE 

FROM:  HQAFaC/SYNl 

1250  Air  Fofce  Pcntagoa 
Wtshingtoa,  DC  20330-1250 

SUBJECT:  liiformstu»A$stinaoef<N  the  Defeme  Civilian  Penon^ 

Washington  Headquaitos  Services  (Project  No.  7RE-3006.03) 

Thu  if  in  reply  to  your  laeiwwaiidum  lequcsting  Air  Force  conunents  oo  Oie  draft  aulyect 

DoDIGrepon  Iluattadaiientcoiitito AF/DPCXcorntnenUtotluicponfiiidinfi^aii^ 

Please  Inaddition» 

AFaC/SYNI  and  AF/DP  have  leqiuited  SAF/FMPF  dungc  the  WR  for  aU  DCPDS  audit 
icpoitstoAF/DP.  AFaC/SYNIwm  remain  as  Oie  OCR. 

If  you  have  any  questioiu  or  need  fiiitber  asiuiaace  pkaae  contact  Ms.  MeUnda  Palmer, 

(703)58S-6167,  AFaC/SYNl.  or  Miqot  Mendez,  (703)614-247$,  AE/DPCX. 

At/" 

DONALD  W.  SOLANO,  LtCoLUSAF 
Ottef,  Information  Protection  Branch 

Attachment: 

AF/DPCXrdqxinse 

oe: 

AFaCVITAl 

AFOC/SYSS 

AF/DPCX 

SAF/FMPF 
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DEPARTMENT  OF  THE  AIR  FORCE 

HEAOQilARTEftS  UNITCD  STATES  Alt?  fOnCt 
WASWNGTON,  DC 


MEMORANDtIMFOR  AFCICyrTAI 


FROM:  AF/DPCX 


SUBJECT:  DoDlG  Dnlt  Infonnsdoa  Assurtace  for  ibc  Defease  Civilian  Personnel 

Data  System*  Washington  Headqnaiters  Services 

llvis  is  in  repose  to  the  SAF/FMPF  menoiaodum,  26  March  1 998,  ceqoesting 
oomineots  on  subject  tq>offL  The  attachment  contains  the  Acquisition  Program  Management 
comments  against  the  report  fiotfings.  Please  inctnporate  the  manageineotcomnients  contained 
in  the  attachmeit  and  forward  (hem  10  SAF/FMPF. 


If  you  have  any  questions  or  need  liotiier  assistance  please  contact  Mendez^  703* 

614*247S  or  e-mail  nibe&mendez@dphq.afinll. 


SHIRLEY 


WILLIAMS 


ChieL  Plans  and  Requixeineiits  Division 
Diieetoiate  of  Ovllian  Petsoonel  Policy 
and  Personnel  Plans 


Attachment 

Acquisition  Program  Management  Response 
cc: 

SAF/FMPF 

AFCIC/SYSS 
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Acquisition  Progron  Manogor  Management  Rotponse 
to  a  Draft  Audit  Report  on 

Information  Aasuranea  of  tittDtUnsc  OviUan  Personnel  Data  System 
WasbingtoD  Headquarters  Serviees» 

Project  No«  7RIr300d.03, 

Dated  December  17, 1997. 


Program  Management  Comments:  Oot  of  the  wcusMUnees  Wvt  cocomMed  teins 
(he  vttiom  Pmsraa  and  CeqqMiiem  laibimstiea  Aesunoce  Audits  is  dm  tile  auditocs  ate 
nnviog  pcocedtifm  aad  opcAtiom  of  die  *ioierim  bill  the  Cadiegt  Mid  eefDmenls  ere 

diieeiedtowtfdsdie*Wdeinized^t>CypS,vdddkipstUluadtf  doAlepin^  Thereatt 
s^oificemdiCr<reiieMbetMwwibetwosysicma  Fofcmost*  the  interim  system  bts  been 
epentiotid  Siam  1994  aM  the  modem  system  edil  not  begiadflploynicmuiitill99f.  Tlie 
ioiciim  l>CyX>S  is  die  teim  used  lo  describe  ^plicatioiis  dewdeped  and  deployed  by  program 
lunedoaal  expero  and  Ceaical  Deeign  ActivHy  (CPA)  aailysts  and  leduitcal  elicits  to  support 
dnages  in  pcnonael  proeasses  satidiing  dom  reeasinocriflg  and/dr  cbaoscs  in  die  stnieture  of 
pcnennel  services  dalivmy.  11mA  aioltcakiQiis  were  orifiiwOly  developed  as  piototypes  but  were 
rrihanoed  and  Integnted  at  the  request  of  die  Pop  Compeoents  (Mi&taiy  Scrviecs^edanl 
Afc&cies)loassistwithiagioaaiizttieaofpefyociae}seMcef.  Once  dA  modem  system  Is  fidly 
deployed,  the  interim  sysUmudU  be  duadoue^  tins  interim  aedviQropenfeeswidiia  sit  die 
rsqttueniexm  and  gwdeJiaes  that  apply  to  the  IcgscyDCPPS  and  typicsByteoerved  interim 
•eendhadon  based  on  missicAeisatiiialaKpediciieyttnlil  the  BiodecaPCPXXSts  deployed,  the 
managemeid  oompoeats  m  die  repen  fiadinss  are  tempered  by  these  dtsUnedve  dificreDoes. 

Also,  vui  leallne  that  there  Is  often  a  lime  ateaeol  sttnatioa  invotved  with  the  audit  pcoeess, 
specifically  the  lime  between  the  aodiiofobeervadons  and  findings  and  the  pubtisbid  report  that  , 
weame^oodhigio.  Sevanlofihefollowii^eeciimcotsareinadotriativeioihisriiuadoii. 


Sactioiil:  DmD  Audit  Report  Findings: 


Fiadiag:  Tbe  PCPOS  fbacClonal  sod  aeqnisitioa  program  managers  did  net  ceordlaat* 
with  WHS  about  their  respectiv*  seearl^  managcsieBt  roles  mad 
respoatteflWee  fertbe  DCPDS  talonoatteo  assmranco  ptograae. 
nwmnpli  wider  Oe  bMdOc  etlelbrtntioci  Assm>c«  rrognen) 

Response:  Noa-coocar 

Ihe  pfogram  managefi  have  had  octeasive  coordination  with  WHS  prefect  snaaagement 
through  a  variety  of  Ibrumsand  venues  ooBecfnlng  security  managomeat  roles  and 

rtspoosIbiUcief.  Executivo  PM  and  Compoaeoc  FM  moatings  have  been  held  meoihly  for  difoe 
yesR.  There  has  been  bi-eanual  or  quactMy  sessions  (or  at  least  lour  years  of  a  Technical 

Inlbiination  Group  (ITG)  with  Component  management  staff  partidpaiing,  covering  a  variety  of 
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techuctf  issocs,  indufim soeuri^.  Stvenl tpodd  worldqg grot^f Q^^^Taifhaamg  Woddnc 
Otoip.  Tnidog  W«iUng  Otoup^Corppttter  Security  Wofkini  Or^,  Syatcm  Adminfttrttion 
CommiRee  (uTlGspeeUl  aetMO  SMbtc^)Xhm  bMameecUic  ptriodiccUy  wUKig^oiated 
CempMical  ttMobcr*.  Molt  ipMifteiogiisibdlQi^lhc  modem  DCWSOoflayputcr  Security 
Working  Of«im(CSWQ}  oottdfU  of  lopmoMtoU  vet  fiom  iho  jnogtomofiUo,  now  coammnity^ 
end  ImpIcmcntiBg,  opetndiig,  aod  gtyportigg  orgaaiioriomte  ioctude  Wodiingtow  HoodqtaM^ 
Sendoef(WBSX  Tte>>w<dbg groups chdmd by Ibcfiipcdotidprefiimiiionogctiieat office, ii 
■ted  >$  tfocum  for  defdoptag  lad  cooidinadng  locurity  poCcio>»  guidoUaci^  oad  donmnottfiiimi 
IbrdhemodomsyfCanavifoiiaienL  Socnri^monogaaeuliolcf  aodfc^ModbiUtiosSctrllic 
iDodcm  Z)CFDS^nre  ipeeiiiod  m  libe  modem  PCPDS  Soeurity  Support  Kul 
Acdon  Compldce: 


Finding:  Dofpfto  ttoDCFDS  noqobitiea  progm  aionogor^  pUefng  cmpboib  on  fli« 

Ugk  pHoritf  tdooCHro  riik  monngcaont  tnd  ooenrity  toftf^rdi  Iwvo  wltb 

progmm  msDogomont;  and  dwnoodibrcoaipontftif*  coBtiaved  export  to 
n^kvo  npproprlitomotsnrts  ogoiut  thrmtoond  wtaorobaidci,  fcodid  not 
ogMis  wketkor  tko  ngloiu  pcHiNmod  Um  opomtlonol  certifieotioao  or  risk 
nndyi1>  (Ngt  I0>  intMitHinimiirroMoiMy  wm  WH$ty<bePirectni»*efFrriiioilPili 

Rtiponso:  fortSolIy  conenr 

On  13^omwxf997,cbeftiaetloadiQdaoqdilUonpiDframiiioiiotmjomtiyio«iod« 
memomndnm  mtbc  Cooipontdpw^lorrinnnigw  MtfocR  DCFOSModemi^oaPfOgiMi 
OpcntiofidCoidScadcanadRiAAftabvbSidiaofihoRotioiialSocvkoCOnCtit.  This 
podoge  iadiidod  fUk  aaalysb  gtddiUiits  and  a  sko  oictificodon  died^  U»i  tdotod  10  tlis 
tao&alPieea»t>9fniwm(PPQmvimiiiadaQdtnittbioalodwnodimsyML  Hie 
WHS  iateHfnsynetnnns^vtaloilccimaocndltasioft  by  die  OSD  DAA  and  October  1997.  Tho 
rBmottalshoomtiaoidoRlbrWKSnnaeoeiBplidwdottSOOetohof  1997  with  all  dmddlst 
am,  iadodiacsrst<mseo«iQriseaa.iatodaAis&eio(y  or  better.  It  wasspodfieaUyscrtodibat 
this  logioaal  aeittp  ngaidlng  oootfiaanieitioQiL  soctidiy,  ttaining,  oie^*  wm  tho  aiOft  oataianding 
seatitedate.  But,  spocMmlty,  as  the  finding  tolaiaam  hapm  overitt  programinanagaoiant, 
die  siabis  of  opentiooal  oettiSeadoB  and  analysts  for  fogioasl  silo  lomdoQS  nail  be  ma^  an 

afcadaisemaiallfbcumCSWOs.  CompODonCsw^benqiAodtobciefifaestanisof&cirnsk 
ipaiyas  and  opctidoanlcartiScnttons.mipeindopwjeciodmilesuwie  dates.  CompoacoisuAto 
aio  noaUa  to  aaad  a  lopioaoBiadve  will  ho  firaeted  to  pfovido  ibeoenifioitioa  and  aooediiodoik 
sMus  in  wniiag  ftr  pmsamation  at  the  CSWO. 

Action  Compleae. 
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Fiadliif:  Tli*  ftcq«lsllioa  Pragnai  MftMger  alto  did  net  foUMnip  with  WBS  u 

dc(cnidD«  (he  statiu  ef  conpldieft  er  tarfet  ceasidatioa  date*.  SpccUieal^»  the 
Centra!  Dealfa  Actlrlty  Secnrit/  CoetdSaafer  eeald  net  provide  evidenee  «f  a 
coupleied  eperatioBal  certiOeatfoa  and  risk  analysis  for  WHS,  or  a  taiiget  date 
for  tomplctfea,  (Tifc  IO,aadd3fds<nieiteeua4gr»UoeH^Wkb  WHSbythePiriciofsieef 
NwsasdDaaSynemt) 

Retpanses  Coaotr 

Even  fhouih  the  cendltiotts  tiled  In  this  finding  have  been  icfolved(^:  time  dement 
dtuation),  as  neadeiied  h  the  pimiotts  ft^onae^  the  status  of  opeimdoaal  eetiilicadena^ 
aoatfdsteregioiisIdteiecatlwtiviUbemadeaDageDdaiteniacflmBaCSWQf.  Cftnyopents 
adU  W  toq[|d(ed  fo  bdef  foe  stacos  of thev  ride  analysa  aid  ppeintioaal  cesUfieaiion. 
Compooeptsndmafouoihtefoaeiidawptemitfat^  wiilbefometadiopfevklatheeerriSeation 
andaoeiediufomsiahismwritiiif.  This  will  ennice  foe  CDA  Security  Ceoedwator  will  he  able 
to  txadt  foe  status  of  all  operadonal  eertSficarion  and  risk  analysis  aerivities. 

Actioa  Complete. 


nadiaft  The  DCTOS  luaetUnml  and  acqublHea  precraai  aaanaeen  did  not  provide  any 
(ralnlne  reqnlreaiCBts  for  deslcnaud  security  persennelt  sneh  as  (he 
Ittfennatlea  Systems  Security  Miuuifer,  the  laformatiea  Systems  SeaisiQp 
Ofilcer»  the  Network  Administrmteri  and  (he  Systems  Administmtar  for  foe 
liCPDS*  Cfofe  12,  r*stftfaie«  wider  CoocdhiilQe  With  DoOCoeipeaeeld 

Respense:  Ceaear  _ 

a.  The  PPI  software  modules  are  frihancements  to  foe  kgacyPCPIiSeqvliopincnt 

and  cpeiau  under  foe  cxistiiifiefuktions  tad  fttiddtiies  in  plaocL  Tfaeyscmaiiiltiiesiwdiy 
pieviously  nmiuial  petaonad  ftmctioia  airi  brip  olftet  peisociiiel  staff  loiaas  tesukiiig  fiom 
leifonaiizatieD.  Infos l^acycaviroomcat, the partk^peting Conpeaencsinainiainffd ameaotny 
In  laai^  areas  to  indode  estaNishing  foeir  own  seeori^  tmimng  lequifeiiients  hasad  oa  foair 
lespoetive  tegularionsanddiiectives* 

b>.  AlMidagSiiivaftPlaaCrStOibribenodcntDCPOSfaafboMdmclopedTwUdi 

willSN«ityCKaiM»deployiB«L  hifaitifictpyewBiwiaaiigitquiiwitcaBMidactieittiw^atd 
18  wpport  Ae  d^velopaintMad  opwilioial  w  of  AemodfirfraJ  DCPDS.  The  plan  taeliide* 

ttMBbg  acMU  ibe  jpadran  of inaaafoiiient,  devdopakcnt  and  eo(paaBta>]e««l  stii(  Raaienal 
Sttppod  Canter PtSCXCiHtemarSuppeft Unit (CSU)a^cnd-uacrp«aosaaL  Ibiaplaadoea 
not;  bowever,  oddraia  eecurity  In  dapft.  A  aoeuihy  annex  fee  AaDCPDS  TSP  mill  badawalopod 
mUeb  mill  idaniil^  iRteiiV  nqciienenia  fbr  dangntted  aecutity  peraoBfiel,  aoeb  M  the 
kCbcmitioa  Syatems  SecuriQrMaiater,  labimatiaa  Syxtema  Saeurily  Offiear,  HatMorit 
Admiidminr,  nd  Syataeu  Adminlmator  ferthe  DCPPS.  TUa  annex  wfliba  applicable  and 

belpfiil  to  (he  aiiea  still  mifiziiic  the  PPI  anviiooincBi  nndl  tbqr  traneiUen  to  Aa  modem  ayatam. 

BCD  July  199g. 


riadinf:  The  DCFPSftiactioaal  and  aetubiaoaatena^eta  did  not  provide  (ralaiaK 

raquiravaMa  for  Ibo  deelCMied  eecarity  peraonnel  t»r  the  PCFDS.  Foraonnel 
daaipiated  M  the  Information  Sytf  cma  ScrarlQr  Manner,  Ika  Information 
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Sywit^ms  S«c«rlty  Ofnc«r»  lli«  Network  Admfaititnitor*  ftnd  Ibe  Sjrttemt 
AteSBlstrBt«rw«reiMt(bcrpr»viM  widmorAtlcM^od  aBysyitca-fpttdfle 
IttforiMiliM  MswnuiM  tniitttof  ad^roMtef  ttialr  rales  and  rapaatlbilltlcs.  (p^ 
sad  ka  Msi«i«9  iMd«r  OmcMmO 
Respawe:  Cdacvr 

a.  Afmeolionadb  the  piavioitfit^pm^tlioseCoinpQ0e&ttiikopiitidpalsd  lathe 
JcfaqrDCPDSeavifoomextfmaiaUinedauiQaomyiaaiaiyaittf  lofadudecittMi^ilagtl^ 
omaeciidiy  trahiladfa^ircimflU  baaed  oil  teirtopaetivafadidadetts  and  dltaedves. 

b.  11ieAirFoKea»lbraxadipfo»baodovclapadafwo^ws^53fSimAteiBistniots 

tnhdfi^oowsetafSsdadaidieTPZafiwSmttciKL  AirFoieaFaesoiuielSystaaiMaaafMra^SMs) 
aiaoehadidcdfoirdkis6oum%idical!ui7oraiiidihiadmiihsofiaoeivifl«llickj|x^^  The 
ae^i^tioo  {wogiain  maoafierMdl)  pcovidea  eepy  of  diii  ttaiidag  eoocoe  to  the  ftmdbnat 
piogiram  nasagtr  seview  tod  then  i(  wUl  be  made  avaiUbk  to  the  other  CoBtpoiniU  fne 

possUe  system  wide  tttc. 

£C3>Ju!yl99l 


Section  n  Rccontmendstion  for  Corrective  Action 


ReeaumandaUon:  We  raeoasawiid  that  the  Tedmleal  Diroetar,  DIfvetoreta  of  Pctionnc] 
Data  Systops,  Air  Farce  PatsoAnd  Center,  derdapend  ImpfceacaC  pracadercs 
to  eoordiiiate  with  the  WathtodtOD  Headqitaum  Screfcae  and  its  CMstomer 
aoppart  nalts  and  other  DoD  Camponcnti  on  fhdr  rsipactivaaaairlty 
maaacemant  rates  and  respenslbilttics  for  the  ZMsase  ChdOanFmaniialXNita 
Sf9Um  tnlennatieiB  amranee  program,  leclodind  astabllshinf  ^tam^padOc 
tminlnc  reqnhrcasants:  (Npt  KPwinemnwihftBe 
Respansa:  Cancer 

a.  The  state  ofopandonatcattificaiion  and  risk  andysts  for  icgioiialdteloeaiioiis 
willbemadaanafBiidaiaeinataUfidareCSWOf.  CcNBponeiitswillbefoquuadtebciefdw 
state  of  dwir  risk  a&atyds  aid  opoatiooa]  eatrifieatloDS^  to  include  prcdoc^  mllasiene  ditea. 
Componaats  who  aie  tmabla  to  9^  a  r^caosaCative  will  bo  diiaeiBd  to  provide  the  ecrtiilfiitioa 
and  aociaditaricn  state  b  writjng  ferptrifnratloo  at  the  CSWO.  * 

b.  TlwaoqiiisHianpiototemteoaiiiinCoCBeavrilldavdopaaccoriQrAnneactoftha 
DCPMT8P.  Tte attwx Witt ideaOfyedidnftoqqiiesacte fee drslgnasadooct^ 

sodi  as  te  lafennaiioa  SyteM  Scet^  Kiteiw,  tie  lafinnatloii  Systems  Sacority  Olficec; 
the  NotwoAAdmfaistrate,  aid  the  Systems  Administrator  for  the  DCroS.  this  amex  will  be 
^pUeahleto  the  FPl  eavimimenL 
ECD  July  199f. 


S^tioa  in  Material  Management  Control  Weakness 


na4i»n:  Tke  eentreb  for  iaforautloa  assiunMico  woro  inadoquote  to  easuro  the 

€OttlUcBtfaUty»  iafetHiyi  and  avaiiebailsr  ef  ths  iaChnaellea  tiered  ea  and 
processed  hxllMDCFD&  I7» ASfury ofMans—rtt  Cteaoh) 

lUcpeafe  a/h 

WHS  will  sespood  to  this  findnif 


fladlac:  htoaefeeiWildidaotldctttlflrthePCyPSprefrett  er  the  eemputer  security  as 
•a  estofliblcd  v&k.  Ihcrefert,  did  net  McatiQr  er  repeit  Aeauieritl 
aMaascmcateeatrelweikacssideatUMbxiheaadit  MaaafeaMBt  did  net 
ceadact  an  cvelasUea  for  FV  Maas^emeat  did  pet  rcevataatOBtl 

asscatblcd  mltf  to  easaretet  ^e  meaafeaiCBt  ooiUrob  ate  addrctted  for  all 
rblc  areas  in  (he  Pcrsoaad  sad  Secariiy  DIvbioB,  after  (he  ixcloaaKaiiea 
cirortsiBFYl^d,ai(ii«yplaBiied.  <Ha«  tT.  Adtgpiqr  of Meotsiw <■!*•  SdPB»»loalt) 
lUspoast;  a/a 

WHS  will  tespend  to  Hut  lindxQg 
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DEPARTMENT  OF  DEFENSE 
CIVILIAN  PEFSONNtL  MANAGEMENT  EEEVICE 
1400  KEY  EOULEVAItO 
AEUNCTON,  VA  2220E'8t44 

m  ism 


MEMORANDUM  FOR  DIRECTOR,  READINESS  AND  OPERATIONAL  SUPPORT 

DIRECTORATE,  DEPARTMENT  OF  ECFENSE  INSPECTOR 
GENERAL 


SUBJECT:  ftopoted  Audit  Report  oa  lufomiaiioa  Assurance  for  the  Defense  Civilian  Personnel 
Data  System  -  Washington  Headquarters  Services  (Inject  No.  7RE-3006.03) 


This  memoraodum  constitutes  the  functional  proponent's  response  to  the  Proposed  Audit 
Report  on  Infonnttion  Assurance  for  the  Defense  Civilian  Personnel  Data  System  -  Washington 
Headquarters  Services  December  17, 1997  (Project  No.  7RE“3(X)6-03),  The  attached 
document  responds  to  the  iqiplicable  findings,  identifies  our  concerns,  and  explains  the  revisions 
we  believe  are  necessary  so  that  the  final  report  will  accurately  Reflect  Defense  Civilian 
Personnel  Data  System  program  Infonnatioo.  We  appreciate  the  opportunity  to  comment. 


Earl  T.  Payne 
Director 


Attachment: 
As  stated 
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FiiiK;tk»jd  Maugcmcnt  Rcsp^^ 

Draft  Propot<d  Audit  Report  on  InfonnJrtk>n  AssormBce 
for  the  DcTcnse  QviUaii  Penoond  Data  Syctcm  (DCPDS)- 
Wadiingtaa  Headquarters  Services 
DoDIG  Preject  No.  7RE-300&03 


EXECUTIVE  SUMMARY 

Introdnction  (page  1).  *This  iqKM  is  the  third  of  four  reports  in  our  ongdngfcview  of  the  Revised 

Defense  CiviUin  Penoniiel  Data  System.  The  Defense  GvUian  Persoonel  Data  System  is  an 

automated  infcmnatioa  system  Out  will  process  sensidve-hut-uudissified  information  Ux  at  least 

750«000  Defense  civilian  peiso&nel  records  K  23  legional  personnel  servicing  centers  and 

tq>proxiinatdy3(X)ci]$toiner  support  tmlts.  The  Defease  agencies  wiUestaUssh  four  of  the  23 

regional  personnel  servicing  centers.  The  Washington  Kcadqua^  Services  will  serve  as 

manager  of  the  National  C^tol  Region  Human  Resources  Services  Center.  Initially*  the 

Washington  Headquarters  Services  will  process  approximately  10,000  personnel  records  at  seven 

customer  siq)poft  units.** 

Rtaaonae!  The  proposed  language  may  confuse  readers  unce  it  does  not  distinguish  between 
the  legacy  Defense  Civilian  Personnel  Dau  System  (DCPDS)  and  the  modem  DCPDS  still  under 
development.  To  avoid  conlusioo  we  ask  that  you  substitute  the  following  language: 

This  report  is  the  third  of  four  reports  In  our  ongoing  review  of  the  Defense  Civilian 
fesonnel  Data  System.  The  DCPDS  currently  in  operation  is  a  legacy  automated  infonoation 
system  diat  processes  sensidve-but-unclissHied  infonnition  for  i^roxiinalely  750,000  DoD 
civilian  personnel  records.  The  D^iartment  of  Defense  is  mocitoizing  the  DCPDS  as  it 
regionalizes  the  delivery  of  civilian  pers<Hinel  service  into  22  Regional  Service  Centers  (RSCs) 
and  approximately  300  Customer  Support  Units  (CSUs).  The  modem  DCPDS  is  scheduled  to 
replace  the  legacy  system  by  the  time  tegkmaUzation  is  completed  in  FY  1999.  The  Washington 
Headquarters  Services  National  Capital  Region,  Human  Resources  Service  Center  (HRSC),  will 
serve  as  one  of  the  four  Defense  agency  RSCs.  The  Washington  Headquarters  Services  HRSC 
serves  seven  CSUs,  processing  approximateiy  10,000  personnel  records  using-the  legacy 
Defense  Civtlian  Personnel  Data  System.** 

AUDIT  BACKGROUND 

Defense  Civilian  Personnel  Data  System  Qiage  2)*  The  Assistant  Secretary  of  Defense  Revised 

(Command,  Control,  Communications,  and  Intelligence)  designated  the  Defense  Qvilian 

Personnel  Data  System  (DCPDS)  as  an  interim  standard  system  in  an  April  22, 1991, 

memorandum.  Ilie  memorandum  designated  the  Secretary  of  the  Air  FcMrce  as  the  executive 

agent  for  the  DCPDS.  The  DCPDS  program  exists  to  provide  a  seaodess  automated  information 

system  that  will  provide  support  for  personnel  policy  actions  and  personnel  decisions  during 

peacetime,  contingencies,  and  wartime.  The  DCPDS  will  siqiport  all  DoD  Components 

woridwide  and  will  be  used  by  perscsmel  officials,  employees,  managers,  and  senior  leadership 

at  all  levels  of  DoD  operations  throughout  the  world.  DCPDS  is  envistooed  to  enable  one 
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penonnd  specialist  to  provide  personnel  services  to  about  100  civilian  persoooel.  DCPDS  is 
also  envisioned  to  eluxunate  duplicative  DoD  Coo^KMient  and  Defense  agency  petsoonel  system 
costs  and  to  reduce  maintenance  costs  for  mainframe  con^puters.  The  cuxreot  operational 
DCPDS  st^jfXMls  the  Military  D^nmnent  and  Defense  ageocies  and  consists  of  DCPDS 
software  apfdicatioiis  called  petfonn^  ireptovementt.  The  personnel  process 

iixipravements  are  an  important  t^tement  in  migrating  to  the  modern  system.  The  personnel 
process  improvements  application  prognms  provide  electronic  means  to  generate,  route,  and 
process  personnel  actions:  create  and  classify  positions;  initiate,  route,  and  track  training 
requests;  and  access  current  peiscHine)  database  and  associated  data  femn  oditf  ftmcticmal  areas. 
The  DCPDS  interim  system  is  designed  to  improve  and  enhance  personnel  staffs  during  the  DoD 
transition  to  a  downsized  workforce. 

Raspopee;  The  proposed  language  mi^  confuse  readers  since  it  does  not  distinguishb^wten 
the  legacy  DCPDS  and  tbe  modem  DCPDS  still  under  devek^nnent  To  avoid  confusion  we  ask 
that  you  substitule  the  foUowing  laagoage  which  describes  the  transition  of  the  legacy  DCPDS 
since  it  was  designated  as  an  inierim  standard  system  and  clarifies  the  distinction  between  the 
legacy  DCPDS  and  the  modem  DCPOS. 

**TbB  Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  InteUigeaoe) 
designated  the  DCPDS  as  an  interiin  standard  system  in  an  April  22, 1991,inemoraDAjm.  The 
memorandum  designated  the  Secretary  of  Che  Air  Fbrce  as  the  executive  agent  for  the  DCPDS. 

At  that  timCt  DCPDS  consisted  of  a  ooie  system,  the  Air  Fdroe-developed  Personnel  Data 
Systemdvilian  (TOSQ^^us  distinct  Army  and  Navy  versions  of  PDSC  Since  t99i,tbe 
DqMitmem  has  tiansitioiied  the  Kfiliury  Dq>aitrneDts  and  inost  Defense  agencies  to  a  standard 
DCPDS. 

To  support  the  icgSonalizatioo  of  cxvilian  personnel  service  delivery,  the  Department  developed  a 
suite  of  sofer^m  applkatxMis  called  Persormel  Process  hnproveoieats  (PPb)  thtt  opente  in 
conjunction  with  data  from  DCPDS  in  actient-server  eovironment  The  PPI  Suite  provides  an 
dectronk  mean  to  generate,  mute,  and  process  personnel  actions:  create  and  classify  poritions; 

initiate,  route,  and  track  training  requests;  and  access  the  peiaonnel  database  and  associated  dy 
fibm  other  fimctional  areas.  The  dient-eerver  configuration  is  refeited  to  v  the  inttiiai  DCPDS. 
The  mteriro  system  b  genentty  deployed  when  t  Regional  Service  Centex  becomes  operational. 

The  Department  b  now  in  the  process  of  developing  a  modem  DCPDS.  The  functionality  of  the 
PPI  Snlte  will  be  induded  in  the  modem  DCPDS.  The  modern  DCPOS  will  provide  a  seamless 
automated  information  system  that  will  suppmt  personnel  policy  actions  and  personnel  deebtoos 
during  peacetime,  contingencies,  and  wartime.  The  modem  DCPDS  will  support  Components 
worldwide.  Penotmel  officials,  eiD(tioyee$,  managen.  and  senior  leadership  at  all  leveb  of  the 
Department  will  use  it  The  modem  DCPDS  will  also  eliminate  the  need  for  duplicative 
CoiDponent  headquarters  personnel  systems  reduce  maintenance  costs  for  mainframe 
conqwters.** 
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fafimation  Assurance  Progrim  (page  4>  12  and  13L  **AddiUaiia]ly.  the  DCPDS  functkmaJ  and 
acquisitim  program  managers  did  not  coordinate  with  WHS  about  tbeir  respective  security 
management  roles  and  responsibiUties  for  the  DCPDS  infonnatioo  assurance  program.^ 

Response;  Non  concur. 

The  legacy  DCTDS  was  designed,  developed,  and  implemented  as  an  Air  Force  personnel 
system  in  the  mid  19706.  When  the  ASD(C31)  designated  the  legacy  DCPDS  as  the  interim 
standard  system  in  1991,  the  functional  program  managers  left  die  existing  security  management 
roles,  responsibilities,  and  processes  in  place. 

APPC  has  coordinated  with  the  Components  concerning  the  security  tnanageiiient  rotes  and 
responsibilities  fw  the  interim  DCPDS.  APPC  also  provided  system  administrauv  training  and 
maouals  to  the  Conqxments  that  cover  practices  and  procedures  for  granting  access  to  the  interim 
system.  On  February  12, 1997,  APPC  provided  Conqxment  systems  administrators  a  software 
release  anDOuncement  fm'PPI  Version  4.4  of  die  interim  system.  This  release  m^lemented  the 
ftest  scripts'to  configure  servers  and  woriesutions  in  accordance  with  the  established  security 
policy.  APPC  provided  another  release  announcement  for  the  PPI  Version  5.0  in  June  1997, 

This  announcement  described  the  scripts  and  actions  required  to  operate  the  system  audit  log 
feature. 

CPM5,  as  (he  functional  proponent  for  the  DCPDS  Modemizatioo  Program,  is  responsible  for 
insuring  controls  are  in  place  to  safeguard  civilian  personnel  records  in  the  modem  DCPDS. 
Recently,  CPMS  published  a  coordinated  modem  DCPDS  policy  and  security  support  plan. 
These  documents  clearly  detine  the  respective  security  management  roles  and  responsibilities  for 
the  modem  DCPDS.  In  addition,  CPMS  is  in  the  final  process  of  identifying  the  organizational 
component,  which  will  serve  as  the  modem  DCPDS  Designated  Approving  Authority  (DAA). 
The  modem  IKT^DS  DAA  will  at^xiint  a  certification  official  who  will  oversee  die  Certification 
and  Accreditation  (CAA)  process,  and  approve  the  level  of  risk  for  the  modem  DCPDS.  The 
modem  DCPDS  DAA  will  oversee  the  development  of  the  C&A  package.  The  C&A  package 
will  describe  the  objectives,  responsibiUties,  schedule,  technical  monitoring,  and  other  activities 
in  support  of  the  CAA  process. 

Coordination  With  DoD  C^omnonents  (page  12  and  13).  ^^Specifically,  tbeDCPDS  functional 
and  acquisition  program  managers  did  not  provide  any  training  requirements  tor  designated 
secority  personnel  such  as  the  Information  Systems  Security  Manager,  the  Infocroatiott  Systems 
Security  Officer,  the  Network  Adromistrator,  and  the  Systems  Adnnnistiator  for  the  E)CPDS;* 

Response:  Concur. 

The  legacy  and  interim  DCPDS  operate  tinder  existing  computer  security  program  regulations 
and  guidelines.  CPMS  has  not  provided  training  requirements  for  derignated  security  personnel 
using  the  legacy  and  interim  DQT>5.  In  this  environment.  Components  are  reqxmsible  for 
establishing  their  own  security  training  requirements  based  on  th^  spedtic  regulations  and 
directives. 
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The  modem  DCPDS  Compuler  Security  Wodung  Group  {CSWG},  chaired  by  CPMS»  will 
develop  a  security  annex  foe  the  modem  DCPDS  Training  Suppoirt  Ran.  The  annex  will  identify 
mining  lequiiements  for  security  pcnonoel,  including  the  Information  Systems  Manager,  the 
Information  Systems  Security  Officer,  the  Network  Administritor.  and  the  Systems 
Administrator  for  die  modem  DCPDS. 

Under  the  Re^ooaiizationProgiiin*  the  iDodern  DCPDS  will  opecau  in  a  sundard  opening 
enviroiuneni  of  servers,  woricstaiiOBS,  peripherals,  and  conmwucatiofu  networks  for  civilian 
personnel  opentfOdsforoughocitDoD.  A  tdatkmal  database  will  link  to  the  dient’Server 
network  kicaied  at  Regimial  Service  Centers  and  Customer  Support  Units.  The  interim  DCPDS 
is  currently  deployed  in  this  tqieiating  environment.  Therefore,  the  DCPDS  Training  Support 
Plan  Security  Annex  will  ^Jply  to  the  iiuerim  DCPDS. 
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